AIGP Day 3

Questions and Answers

Which of the following best encapsulates the risk-based approach of the EU AI Act?

• Focusing solely on the ethical implications of AI, disregarding potential safety concerns.
• Applying uniform, stringent regulations to all AI systems irrespective of their potential impact.
• Tailoring regulatory intensity to correspond with the level of risk posed by different AI systems. (correct)
• Implementing flexible guidelines that encourage innovation without mandatory compliance.

True or false: The EU AI Act's extraterritorial scope means that only organizations physically located within the EU must comply with its regulations.

False (B)

Explain how the EU AI Act aims to balance innovation with safety in the context of artificial intelligence.

The EU AI Act balances innovation with safety by adopting a risk-based approach. It allows for continued AI innovation under appropriate safeguards, ensuring that regulation is proportionate to the level of risk posed by AI systems. This encourages development and deployment of AI that is safe, trustworthy, and respectful of fundamental rights, while still fostering progress and innovation.

To ensure traceability and accountability in critical decision-making environments, GPAI systems for high-risk applications must automatically generate ___________ decision-making processes.

logs

Match the roles defined in the EU AI Act with their primary responsibilities:

Provider = Ensures conformity and proper handling of AI systems within the supply chain. Deployer = Controls design, testing, and risk mitigation strategies for AI systems. Importer = Ensures that the third-country AI system complies with the EU AI Act before it is made available on the EU market. Distributor = Applies an AI system for a specific purpose or goal, ensuring safe and ethical use.

Which of the following AI systems would be classified as 'high-risk' under the EU AI Act due to posing a significant risk to fundamental rights?

AI systems used for biometric identification and categorization of natural persons. (C)

True or false: Under the EU AI Act, conformity assessments are only required for AI systems that process personal data.

False (B)

Describe the 'transparency obligations' for providers of limited-risk AI systems as defined by the EU AI Act.

Providers of limited-risk AI systems must ensure that users are informed when they are interacting with an AI system. This is crucial when the AI system may influence human decisions or behaviors without users being fully aware of it. For example, a customer service chatbot must clearly indicate that it is an AI system, not a human operator.

According to the EU AI Act, AI systems used solely for ____________ purposes by Member States are exempt from the regulations.

national security

Which of the following is NOT a provider obligation for high-risk AI systems under the EU AI Act?

Ensuring AI literacy among the general public. (B)

True or false: Deployers of high-risk AI systems have more extensive obligations under the EU AI Act compared to providers.

False (B)

What is the purpose of conducting a Fundamental Rights Impact Assessment (FRIA) before deploying high-risk AI systems, as required by the EU AI Act for deployers?

The purpose of a FRIA is to assess the potential impact of high-risk AI systems on fundamental rights, including privacy, non-discrimination, and freedom of expression, before deployment. It ensures that risks to fundamental rights are identified and mitigated as part of the broader risk-management process.

Under the EU AI Act, importers must ensure that third-country AI systems comply with the Act, particularly by verifying that the system has undergone the required ____________.

conformity assessment

Which of the following best describes the role of 'distributors' in the context of the EU AI Act?

Entities, other than providers or importers, that make AI systems available on the EU market. (B)

True or false: The EU AI Act imposes the same set of obligations on all General Purpose AI (GPAI) models, regardless of their systemic risk level.

False (B)

Describe two key responsibilities for providers of GPAI models with 'systemic risk' under the EU AI Act.

Two key responsibilities for providers of GPAI models with systemic risk include: 1) Maintaining technical documentation and 2) Making information available to downstream providers who integrate the GPAI model into their AI systems. Other responsibilities include complying with EU copyright law and providing summaries of training data.

Under the EU AI Act, organizations that fail to comply can face substantial penalties, with the highest penalty for prohibited AI reaching up to ___________ of global turnover for the preceding fiscal year.

seven percent

What is the primary function of the European AI Office and AI Board established under the governance structure of the EU AI Act?

To provide technical expertise and central coordination at the EU level for the AI Act. (B)

True or false: Under the EU AI Act, penalties are only applicable to prohibited AI techniques, systems, and uses.

False (B)

Explain the concept of 'conformity assessment' in the context of high-risk AI systems under the EU AI Act.

Conformity assessment is the process of demonstrating whether the requirements set out in Chapter III, Section 2 of the EU AI Act, relating to high-risk AI systems, have been fulfilled. This process is essential for ensuring compliance before placing high-risk AI systems on the market and throughout their lifecycle.

Registration of high-risk AI systems under the EU AI Act is required in a publicly accessible ___________ database before market placement.

EU-wide

Which of the following is a key implication for companies to consider under the EU AI Act's governance framework?

Strategic planning and training for AI governance and compliance. (C)

True or false: The EU AI Act is expected to be the only regulation governing AI in the EU, superseding all other existing EU laws.

False (B)

Explain the concept of 'post-market monitoring' as it relates to high-risk AI systems under the EU AI Act.

Post-market monitoring involves the ongoing surveillance of high-risk AI systems after they are placed on the market. Providers are required to ensure post-market monitoring and system validation to continuously assess performance and identify potential issues throughout the AI system's lifecycle.

To foster innovation for SMEs and startups, the EU AI Act proposes ___________ regulatory obligations, scaled according to the size and risk level of their AI systems.

proportionate

Which of the following is a key aspect of maintaining data governance for GPAI models under the EU AI Act?

Ensuring the training data reflects a wide variety of contexts and avoids bias. (B)

True or false: Under the EU AI Act, 'codes of conduct' for General Purpose AI (GPAI) are mandated and legally binding from the outset.

False (B)

What is the significance of 'human oversight' in the context of high-risk AI systems, as emphasized by the EU AI Act?

Human oversight is crucial to ensure that humans can oversee AI processes, understand how AI systems work, and intervene when necessary to protect fundamental rights and safety. It means enabling humans to understand, interpret output, and override AI outputs.

For high-risk AI systems, providers must maintain a deep level of ____________, specifying technical and functional information to be provided to downstream operators.

transparency

Which of the following best describes the 'Flexibility for SMEs and startups' provision in the EU AI Act?

Simplified and less stringent regulatory obligations for SMEs and startups. (B)

True or false: The EU AI Act's primary goal is to stifle innovation in AI to prioritize safety and ethical considerations.

False (B)

Describe the 'user notification' requirement for limited-risk AI systems that involve interactions where individuals may be unaware of AI involvement.

If a limited-risk AI system involves interactions where individuals may be unaware of its AI-driven nature, the system must provide a clear disclosure that it is AI-based. This is applicable to AI used for content generation or recommendation systems, requiring notifications to users about AI involvement.

Under the EU AI Act, high-risk AI systems must be designed to automatically generate logs that record operational outputs and ____________ processes.

decision-making

Which of the following is NOT a typical category of 'high-risk' AI systems under the EU AI Act?

AI systems used in spam filtering. (D)

True or false: The EU AI Act explicitly prohibits the use of AI in social scoring systems used to evaluate the trustworthiness of people.

True (A)

What is the timeframe for when obligations apply for high-risk AI systems under the EU AI Act after it entered into force?

Obligations for high-risk AI systems apply 24-36 months after the EU AI Act entered into force on 1 August 2024. This allows time for providers and deployers to prepare and implement compliance measures.

Under the EU AI Act, organizations that align with the Act's requirements will be well-positioned to leverage the growing AI market with the confidence of ___________ and global leadership in AI ethics and safety.

compliance

Which of the following is a proposed exemption to reduce restrictions on innovation under the EU AI Act?

Exemption for low-risk research and innovation AI systems. (D)

True or false: The EU AI Act only applies to AI systems developed and deployed within the European Union.

False (B)

What type of documentation is required for high-risk AI systems under the EU AI Act, as part of 'Technical Documentation' requirements?

Technical documentation for high-risk AI systems must maintain a deep level of transparency and include specifications of technical and functional applications in relation to the AI system. It also requires documenting quality-management procedures or additional obligations in the world of documentation.

According to the EU AI Act, ensuring ___________ is crucial for GPAI, as the training data must reflect a wide variety of contexts and avoid bias.

quality and representativeness of training data

Which of the following best describes the 'EU AI Act applicability' principle?

It applies broadly to AI systems placed on the EU market or used within the EU, with extraterritorial scope. (D)

True or false: Under the EU AI Act, AI systems used by people for non-professional reasons are subject to the same stringent regulations as those used in high-risk applications.

False (B)

What are the potential economic impacts of the EU AI Act on organizations, both in terms of challenges and opportunities?

While organizations may face increased compliance costs, the EU AI Act offers legal certainty that fosters investment and innovation. Organizations that align with the Act's requirements will be well-positioned to leverage the growing AI market with the confidence of compliance and global leadership in AI ethics and safety.

In the context of the EU AI Act's risk-based approach, which scenario best exemplifies the principle of proportionality in regulation?

Applying stringent conformity assessments exclusively to AI systems used in critical infrastructure. (A)

True or False: Under the EU AI Act, an AI system developed outside the EU but used to process data of EU citizens solely for non-profit academic research falls outside the Act's extraterritorial scope.

False (B)

Explain how the 'global leadership in AI regulation' impact of the EU AI Act could paradoxically lead to increased compliance costs for organizations operating internationally.

While the EU AI Act aims to set a global standard, it might lead to increased compliance costs because organizations operating globally may choose to adhere to the stricter EU standards as a default to ensure ease and consistency across different jurisdictions, even in regions where such stringent regulations are not mandatory.

According to the EU AI Act, AI systems used solely for the purpose of _________ by member states are exempt from its regulations.

national security and defense

A hospital deploys an AI-driven diagnostic tool developed by a tech company to assist doctors. Under the EU AI Act, how would the roles of the hospital and the tech company be classified?

The tech company is the Provider, and the hospital is the Deployer. (D)

True or False: Under the EU AI Act, 'high-risk' AI systems are exclusively those that directly process sensitive personal data.

False (B)

Explain why 'biometric identification and categorization of natural persons' is classified as a high-risk AI system category under the EU AI Act.

Biometric identification and categorization systems are considered high-risk due to their potential for misuse, leading to mass surveillance, discrimination, and infringement on fundamental rights such as privacy and freedom of movement. These systems can significantly impact individual liberties and societal norms.

For high-risk AI systems, providers are required to implement a Risk Management System as per Article 9 of the EU AI Act, which includes conducting _________ assessments, even after product release.

conformity

Which of the following is NOT a core requirement for 'high-risk' AI systems under the EU AI Act?

Guaranteeing absolute accuracy and zero error rate in all operational contexts. (B)

True or False: Conformity assessments for high-risk AI systems under the EU AI Act are solely required before the system is placed on the market and not during its lifecycle.

False (B)

Describe the purpose of the EU-wide database for high-risk AI systems as mandated by the EU AI Act.

The EU-wide database serves as a publicly accessible registry for high-risk AI systems. It aims to enhance transparency and oversight by providing regulators and the public with key information about registered AI systems before they are placed on the market.

Deployers of high-risk AI systems are required to conduct a Fundamental Rights Impact Assessment (FRIA) before deployment, particularly for systems used in services of _________.

general interest

Which of the following best describes the difference in obligations between providers and deployers of high-risk AI systems under the EU AI Act?

Providers have more technical and comprehensive obligations related to system design and compliance, while deployers have fewer but broader obligations focused on safe and compliant use. (C)

True or False: 'Limited-risk' AI systems under the EU AI Act are exempt from all transparency obligations to users.

False (B)

Explain the 'user notification' requirement for 'limited-risk' AI systems and provide an example of its application.

The 'user notification' requirement mandates clear disclosure when individuals interact with an AI system without being fully aware of its AI-driven nature. For example, AI-based recommendation engines on video platforms must notify users that recommendations are algorithmically generated.

AI systems categorized as 'minimal or no risk' under the EU AI Act, such as _________ and _________, face virtually no restrictions on use or development.

spam filters, AI-enabled video games

Consider a minimal-risk AI system designed for basic inventory management. Under what circumstance could this system potentially become classified as 'high-risk'?

If the system is repurposed to predict employee performance for promotion decisions. (B)

True or False: Under the EU AI Act, all General-Purpose AI (GPAI) models, regardless of their capabilities, are subject to the same stringent compliance requirements.

False (B)

Explain the concept of 'systemic risk' in the context of General-Purpose AI (GPAI) models under the EU AI Act.

'Systemic risk' in GPAI refers to risks arising from the model's generality, capabilities, and potential for widespread impact across various sectors. It acknowledges that powerful GPAI models can pose risks that are not confined to specific applications but are systemic in nature.

For GPAI models 'with systemic risk', one key obligation is to conduct _________ training of the model, also known as 'red-teaming'.

adversarial

Which of the following is NOT a regulatory consideration for General-Purpose AI (GPAI) models under the EU AI Act?

Mandatory registration of all GPAI models in the EU-wide database. (C)

True or False: Under the EU AI Act, sectoral regulators have no role in enforcing the AI Act; enforcement is solely handled by the European AI Office and AI Board.

False (B)

Describe the potential implications for companies in terms of 'strategic planning and training' due to the EU AI Act.

Companies need to strategically plan for AI governance by integrating EU AI Act requirements into their operations, which includes training employees on ethical AI practices, compliance procedures, and risk management related to AI systems.

The highest penalty under the EU AI Act for prohibited AI practices can be up to _________ or up to seven percent of global turnover.

35,000,000 €

Which of the following best represents the 'alignment and dissonance' challenge in global AI regulation?

The varying approaches to AI regulation worldwide, ranging from risk-based to rights-based. (B)

True or False: China's approach to AI governance is primarily 'risk-based', similar to the EU AI Act.

False (B)

Explain why developing a 'compliance strategy based on strictest requirements' is advisable for organizations operating in multiple jurisdictions with AI regulations.

Adopting a compliance strategy based on the strictest regulations ensures that organizations meet the most demanding legal standards across all jurisdictions, simplifying compliance efforts and minimizing the risk of non-compliance penalties in any location.

ISO 22989:2022 is an AI governance framework standard focused on establishing _________ and describing concepts in the area of AI.

terminology

Which aspect of AI governance does ISO 42001:2023 primarily address?

Providing guidelines for using AI responsibly and effectively. (C)

True or False: The HUDERIA framework is primarily designed to create a new legal framework for AI regulation from scratch.

False (B)

What is the main purpose of 'impact assessment models' as promoted by the HUDERIA framework?

Impact assessment models in HUDERIA are designed to incorporate human rights considerations into AI governance, helping to evaluate and mitigate potential impacts of AI systems on fundamental rights.

Data protection and privacy laws present challenges for AI, particularly in addressing traditional privacy principles and applying _________ in AI systems.

data subject rights

Which of the following is NOT a practical recommendation for providers and developers concerning data protection and privacy in AI systems?

Storing all data indefinitely to ensure comprehensive datasets. (D)

True or False: Under GDPR, anonymized data is still considered personal data and thus falls under GDPR's scope.

False (B)

Explain the trade-off between 'data minimization' principles and the need for 'sensitive information' in AI bias testing.

Data minimization encourages limiting the collection of sensitive data, but adequate bias testing of AI models often requires access to sensitive data to ensure fairness and prevent discriminatory outcomes. This creates a tension between privacy and fairness objectives.

In the context of GDPR and AI, _________ data is helpful for protecting data but still considered personal information, making GDPR obligations applicable.

pseudonymized

Which of the following is NOT a condition under which processing of sensitive data is allowed under GDPR?

Processing for direct marketing purposes. (D)

True or False: Data Protection Impact Assessments (DPIAs) and Conformity Assessments (CAs) serve entirely different purposes and have no overlap in their goals.

False (B)

Describe how Conformity Assessments (CAs) can 'envision harms' in the context of AI governance.

CAs envision harms by systematically analyzing potential negative outcomes resulting from AI systems, considering factors like technology development, data sets, learning processes, AI behavior, and long-term impacts to identify risks and inform DPIAs.

When AI adoption falls into the category of 'Performing an existing function in a new way', all existing laws for a sector or jurisdiction _________ apply when AI is used.

still

Which of the following poses a significant 'data licensing challenge' in the context of AI models?

Determining data ownership and licensing rights for raw data and model data. (D)

True or False: Under U.S. 'fair use' doctrine, AI providers can freely use copyrighted material for training AI models without any restrictions.

False (B)

Explain why 'minimum performance metrics' are a key aspect licensees should insist on when licensing AI models.

Minimum performance metrics are crucial to contractually ensure that the licensed AI model meets adequate standards of accuracy, reliability, and robustness, safeguarding the licensee's operational needs and expectations.

In the context of Generative AI and IP, the U.S. Court of Appeals for the Federal Circuit has determined that _________ can be named as inventors on a patent.

ONLY humans

The U.S. Federal Trade Commission (FTC) has broad authority to prevent _________ in general commercial operations, which extends to AI practices.

unfair or deceptive practices (C)

True or False: Existing U.S. laws definitively specify how they apply to AI technologies, leaving no need for interpretation.

False (B)

What is the key transparency requirement for 'recommender systems' under the EU Digital Services Act (DSA)?

Under the EU DSA, online platforms using recommender systems must inform users about how these systems impact the way information is displayed, enhancing user awareness and control.

In 'fault liability regimes' of product liability, the victim must prove that harm was a result of the product-maker's _________ or _________.

action, inaction

How does 'strict liability regime' in product liability laws shift the burden of responsibility compared to 'fault liability regimes'?

Strict liability places the burden on the product maker to ensure product safety and quality, regardless of fault. (D)

True or False: The EU's AI Liability Directive aims to make it more difficult for victims to receive compensation for AI-induced damages.

False (B)

A financial institution is considering deploying an Al-driven loan application system in the EU. To comply with the EU AI Act, which action should the bank prioritize regarding fundamental rights?

Implement safeguards to prevent discrimination and protect individuals' rights. (A)

A U.S.-based company is offering Al-driven services exclusively to clients within the United States. According to the EU AI Act, since the company has no operations or clients within the EU, it is exempt from compliance with the Act.

False (B)

A multinational corporation decides to adopt EU AI Act standards globally to ensure consistent operation. What potential impact does this decision have on its partnerships with organizations operating outside the EU?

It may require similar responsibility from business partners.

A high-risk Al system has been identified within a company. To ensure compliance with the EU AI Act, the company must implement a __________ ____________ System to identify, analyze, and mitigate risks associated with the Al system throughout its lifecycle.

Risk Management

Match the roles defined by the EU AI Act with their responsibilities:

Provider = Controls the design, testing, and risk mitigation strategies for Al systems. Deployer = Applies an Al system for a specific purpose or goal, ensuring safe and ethical use. Importer = Ensures that a third-country Al system complies with the EU AI Act before it is available on the EU market. Distributor = Verifies that Al systems meet all compliance requirements before reaching end-users.

Flashcards

EU AI Act Risk-Based Approach

A risk-based approach allows for continued AI innovation under appropriate safeguards, ensuring proportionate regulation based on AI system risk levels.

EU AI Act Extraterritorial Impact

Non-EU organizations offering AI services or products to EU customers must comply, ensuring compliance for EU users.

EU AI Act Application

The EU AI Act applies if AI systems are placed on the EU market or used within the EU, irrespective of the provider's location.

EU AI Act Exemptions

To foster innovation and enable national security, the EU AI Act includes exemptions for national security, low-risk research, SMEs, startups, and Al used for non-professional reasons.

EU AI Act: Provider

Provider: Entity developing/making available AI systems.

EU AI Act: Deployer

Deployer: Entity using AI for specific purposes.

EU AI Act: Importer

Importer: Entity bringing AI systems from outside the EU into the EU market, ensuring compliance with the EU AI Act.

EU AI Act: Distributor

Distributor: An entity that makes an AI system available on the EU market, ensuring the systems meet all EU compliance requirements before reaching end-users.

EU-wide database for high-risk Al systems

To be registered into a EU-wide database for high-risk AI system, be operated and owned by the European Commission and require providers to establish and document a post-market monitoring system.

High-Risk Al Systems

High-risk AI: Those that manage and operate critical infrastructure, that involve biometric identification or categorization, that involves education and vocational training, and that are components of High risk under the EU legislation

Deployer Obligations

Deployers must do a Fundamental Rights Impact Assessment (FRIA) before deploying AI systems for services of general interest, ensuring proper use, adequate human oversight, and monitoring the AI system.

GPAI obligations 'with systemic risk'

GPAI systems obligations includes; maintaining technical documentation, making information available to downstream Providers who integrate the GPAI model into their AI systems, Complying with the EU copyright law & Providing summaries of training data

Global Al regulation

No one-size-fits-all: Alignment and dissonance in reference to countries that have AI regulations that is of risk based or rights based. Remain alert to regulatory requirements and be prepared to adjust accordingly. To comply with regulations in multiple jurisdictions, develop a compliance strategy based on strictest requirements and harmonize into a unified framework

The EU AI Act on sensitive data

The EU AI Act is applicable to areas of sensitive data for example; Racial or ethnic origin, Political views, Religious or philosophical beliefs, Trade union membership, Genetic data, Biometric data for identification purposes, Health data and Data about an individual's sex life or sexual orientation

Transparency Obligations

Transparency obligations means Providers must ensure that users are informed when they are interacting with an Al system

Study Notes

The EU AI Act in Brief

• It aims to regulate AI use, creating harmonized rules within the EU.
• Balances innovation with safety, ensuring AI development and deployment are safe, trustworthy, and transparent, respecting fundamental rights while promoting progress and innovation.
• A risk-based approach allows for continued AI innovation under appropriate safeguards, tailoring regulation to the risk level of AI systems.
• Promotes AI literacy to ensure both experts and non-experts can interact with AI systems responsibly and safely.
• Addresses potential harms
• It ensures legal certainty to promote investment and innovation in the AI sector.
• Aligns the use of AI with EU core values and individual rights, protecting individuals from harm.
• Provides organizations with legal bases for utilizing AI, considering both its current state and future advancements.

Scenario: Automated Loan Application Assessment

• A bank in the EU considers using an AI system to assess loan applications automatically.
• Applying the EU AI Act means the bank must ensure the AI system is transparent.
• The AI's decision-making process should be explainable to applicants to respect their rights

Extraterritorial Impact

• Compliance is required even for non-EU organizations offering AI services or products to EU customers.
• Organizations outside the EU using third-party services from an EU provider may face information exchange requirements.
• These requirements can affect their general operating practices and contractual obligations.

Global Influence and Economic Effects

• The EU AI Act is expected to set a precedent for AI regulation globally.
• Organizations might choose to operate by EU standards for consistency, potentially requiring similar responsibility from business partners.
• The Act offers legal certainty which fosters investments and innovation and could increase compliance costs.
• Organizations aligned with the Act will be well-positioned in the growing AI market, demonstrating AI ethics and safety leadership.

Breadth of Applicability

• Applies to systems in the EU market or used within the EU, even if providers are not located in the EU.
• Impacts organizations globally and all EU member states.
• A company based in the U.S. develops an AI-driven marketing tool. If this tool is used to target consumers within the EU, the U.S. company must comply with the EU AI Act, regardless of where the tool was developed or where the company is based.

Exemptions

• Includes exemptions to foster innovation and enable national security.
• AI systems used solely for national security purposes by Member States are exempt.
• Low-risk AI systems and research prototypes not deployed for regular use may receive temporary exemptions.
• SMEs and startups receive flexibility in regulatory obligations.
• AI used by public authorities under international agreements for law enforcement or judicial cooperation is exempt.
• AI used by people for non-professional reasons as well as open-source AI (in some cases) are also exempt.

High-Risk AI Categories

• AI used a a safety component of a product
• AI system that poses a significant risk of harm to health, safety or fundamental rights

Fictitious scenario

• Consider an AI system used to predict recidivism rates within the criminal justice system poses a significant risk.
• This means that is within the majority of the Acts requirements

Requirements for High-Risk Systems

• Risk management: Involves identifying, analyzing, and mitigating risks.
• Data governance: Ensures data relevance, error-free status, representativeness, and completeness, implementing robust data management practices.
• Technical documentation: Maintains transparency through specified technical and functional information delivery.
• Record-keeping: Maintains automatic and documented logs to ensure traceability.
• Instructions for Use: Provides clear, concise, and relevant guidelines for system use.
• Human Oversight: Ensures human oversight, making processes understandable and allowing intervention.
• Consistent Performance: Requires regular testing for accuracy, robustness, and resilience to cybersecurity threats.

Fictitious Scenario illustrating how Requirements are Applied

• An organization develops an AI system for diagnosing medical conditions.
• It must implement a risk management system to identify and mitigate potential risks, such as misdiagnosis.
• The system needs regular testing to ensure accuracy, and transparent information should be provided to healthcare professionals

Provider Obligations for High-Risk AI Systems

• Compliance: Meeting EU AI Act's requirements outlined in Articles 8-15.
• Quality Management System (QMS): Implementing a QMS covering all aspects of the AI system's life cycle.
• Documentation Keeping: Maintaining demonstrate compliance documentation.
• Logs: Designing systems to automatically generate logs to record decision-making processes.
• Corrective Actions: Implementing corrective measures if the Al system malfunctions or violates the EU AI Act.
• Conformity Assessment: Demonstrates compliance before placing systems on the market.
• Registration: Registering systems on a publicly accessible EU-wide database and details.
• Serious Incident Reporting: Report incidents or issues that impact the fundamental rights.

Illustrative Examples for High Risk systems according to the EU AI Act:

1. Corrective actions and duty of information relating to regulatory authorities and users of signiciant risks of malfunctions.
2. Inform regulatory authorities and users of any significant malfunctions or risks posed by system (Article 20).
3. Implement corrective measures if a high risk Al system malfunctions or violates Al act (Article 20)

Conformity Assessment

• Assessing AI System risk to the health, safety and fundamental rights of individuals.
• Applies to Al in recruitment, biometric identification, safety components, essential services access, and critical infrastructure safety.

Illustrative scenario

• A company that manufactures medical devices that use AI must implement a conformity assessment because health is at stake in the use of the device.
• If during the conformity assessment a potential breach is recognised, the company has a duty of information and notify regulatory authorities

EU-Wide Database

• It is a public tool, accessible by anyone.
• Operated by the European Commission.
• Contains data provided by AI system providers.

Post-Market Monitoring

• Designed to track system performance after it has been sold.
• Crucial reporting occurs if there is a serious incident of AI malfunctioning that breaches fundamental rights.

Deployer Obligations for High-Risk Systems

• Fewer obligations than provider, but broader
• Focus: transparency and risk monitoring

Deploys must:

• Conduct a Fundamental Rights Impact Assessment (FRIA)
• Use the Al System Properly
• Implement Adequate Human Oversight
• Monitorn Al System Performance
• Maintain Logs and Documentation

Example Illustrating an organization's Requirements as High Risk Deployer:

• Hospitals must conduct a Fundamental Rights Impact Assessment before deploying high-risk AI systems
• This entails assessing the potential effects on individuals' fundamental rights, including discrimination and privacy.

High-Risk Example in Healthcare

• Healthcare organizations need to implement a risk management system for AI used in disease diagnosis, ensuring patient data is handled properly.
• This includes proper anonymization, encryption, and compliance with GDPR.

Complying with the TRANSPARENCY obligation entails:

• Disclosing information about the Al systems, accuracy rates, biases, and limitations.
• Developing a system where healthcare professionals oversee the Al system, understanding processes output, and intervention in system.
• Creating a quality management system to ensure the AI is compliant to requirements and regulatory standards.
• Regularly reporting incidents when the diagnostic results caused harm.

Examples that illustrate the difference between Importers and Distributors in the EU:

• Importers have to ensure foreign tools into the EU meet EU safety standards
• Distributors veriy compliance of these products and appropriate storage when they make AI systems available on the EU market.

Importer and Distributor Requirements for High Risk Al Systems

• Importers: Ensure High-Risk Al comply with EU AI Act and the undergoing assessment before placing on the EU market, and there is data registration.
• Distributors: Ensure no modifications for compliance, and there are documentations to support the authorities

AI WITH LIMITED TRANSPARENCY

• Systems requiring transparency apply to those to designed interact with people, and the ones which manipulate content.

Deployers of AI WITH LIMITED TRANSPARENCY must:

• Inform, and obtain consent of, those exposed to permitted emotion recognition or biometric categorization systems
• Disclose and clearly label visual or audio deepfake content that was manipulated by Al

MINIMAL AL RISK and EXAMPLES

• Virtually no restrictions
• Codes Eventually
• Spam filters, Al enabled games and inventory and management system

General Purpose AI Models and Systems

• GPAI models display generality and perform a variety of distinct tasks.
• Integrated into downstream systems.

There are multiple obligations for Systemic Risk and Other GPAi

• Systemic Risk GPAI: 1) maintain documentations
• Other GPAI includes data training, EU copywrite (1-4)

Considerations for GPAI

• GPAI undergo assessment
• Oversight to prevent unharmful outcomes.
• Management of the model behavior and performances.

Requirements of Areas and Regulators and Compliance

• Consider Data Governance and data for training and transparency and documentation
• The training data reflects the context

Review Question 1:

• Ensuring the AI systems are subject to human oversight helps mitigate risks and ensure they do not autonomously infringe on rights

Question

Which AI system are considered high-risk" under the EU AI Act?

A Al crdit scoring used to evaluate the trustworthiness of people B Deep Fake vids C. Al Systems used to establish priority in emergency services D. Al used in pharmaceuticla Stage

Answer: Al Systems used to establish priority in emergency service

Conformity test question

• The al conformity assessment is NOT ONLY reuqired if AL in application processes handles the persona data.

Article 99 EU AI Act

• Provide any misleading inforamtion on report or
• Member must report annually

AI REGULATION

ONE size does not fit all. No ONE size fits all. Laws already in place that address Al and ML.

US Federal Guidance for AL and its details

• There is sector Specific legislations that need Al oversight and developments.

AL Governance

• Consider Al Development (Who and has requirement)
• All Procurement (vetting requirements)
• USE Guidance

AL Governance framework

ISO 22989- need for AI standardization and harmonization in all regulations

AI governance framework

• ISO 42001: 2023
• Guide the use of Al for responsible and effective AI, with Al projects, assessment of risks
• Consider issues and designs of systems in control

Al System

Determine what is required objectives and what parties are involved and organizational policy and trustworthiness. Al provides a partner for the developers of Al systems .

The framework

HUDERIA- legal framework

• Al centered approaches
• Use risk assessment
• Formulate impact assessment

Review question 1

• Not only are certain penalties reserved for instances of highest instances of noncompliance Al, there are also other times

Data and privacy

• Laws for data protection with limited knowledge or consent. Is this data reliable?

Data anonymization- data or pseudonymization

• pseudonymization: still personal data
• anonymized data does not apply

AL System Scale

Must have privacy controls, and PET's Homomorphic- data must encrypted but limited- SECURED has limited operations with the al design.

DPIAs & CA'S

To provide more technical documentation. Goals is to identify the data. What set is potential and impact at all times