The EU Artificial Intelligence Act (AI Act) was passed by the European Parliament on Wednesday, June 14. Now, a final trial process will be conducted by the EU Parliament, Commission, and Council to discuss the law’s final draught. The act won’t become a law until after a few months of this procedure. The AI Act will have a substantial impact on how organizations build, deploy, and manage their AI systems. It will also pave the way for additional regulatory action from other legislative bodies throughout the world, much as how GDPR triggered a global paradigm shift for data privacy.
It shouldn’t be expected of machine learning engineers to fully grasp the nuances of the law. The legal or compliance teams will be accountable for that. The innovation and creation of new opportunities for efficiency and effectiveness should be the primary emphasis of AI/ML practitioners. A fundamental comprehension of the regulatory standards will be required because new duties will arise for these teams.
Let’s start by making one thing clear about the AI Act: since it’s impossible for legislation to keep up with the rate of AI research and development and model versioning, the rule does not specifically target the models themselves. Instead, they will work to control the personnel and procedures that organizations utilize to create and implement their AI use cases. To guarantee that AI use cases are properly documented, vetted, and monitored, machine learning and data science practitioners’ “day to day” is going to undergo a drastic change.
The EU AI Act is predicted to be passed in early 2024, with full enforcement occurring in 2026. Here are some essential details regarding this new, controlled future that AI/ML teams should be aware of.
● Standardized Documentation
The AI Act divides specific use cases into 4 risk categories: unacceptable (prohibited), high, medium, and low risk. ML models are not included in this classification. The act categorizes some particular applications of AI, including “social score,” as too hazardous and outright prohibits use. High risk AI use cases are ones where prejudice or malfunction could severely impair a person’s physical, financial, or emotional well-being. This degree of risk will be accompanied by stringent regulatory measures, such as registration with an EU monitoring body.
Systems with a medium level of risk are those in which a user may interact with an AI agent and where it is necessary to clearly disclose AI to the user. The majority of other AI use cases, excluding those covered by other regulations already in place, will fall into the “low risk” category, where the law doesn’t place a significant burden on regulators but does call for an inventory of such use cases. To guarantee that the appropriate risk category is identified, AI/ML teams will be expected to have their AI use cases documented and assessed by a dedicated compliance or AI governance team.
● Documentation Accessibility
AI systems and use cases will need to be documented differently as the range of stakeholders interested in AI Governance grows. The standard forms of documentation, such as README files in code repositories, system diagrams, code comments, and outputs from technical notebooks, will be insufficient and unavailable to non-technical users. There will be a need for new systems of documentation, and these systems must successfully bridge the gap between business-level concepts, technical requirements, and technical details. This will enable a thorough understanding of the technical work and its limitations in relation to the organization as a whole.
● Generative AI Liability
Clearer guidelines for organizations adopting generative AI systems and fundamental models were one of the largest adjustments the EU Parliament made to the AI Act. The precise set of needs will be one of the largest unknowns for the upcoming few months, but the best way to get ready will be to start implementing some testing and assessment processes for generative AI use cases. A good starting point for the kinds of risk mitigation measures that the AI Act may mandate is, for instance, carrying out a modest internal study on how frequently a particular prompt may “hallucinate” and documenting the findings.
● Testing & Human Evaluations
Many models are frequently assessed using some error metrics that are produced from a stored set of training data. These are helpful for training objectives, but less so as a gauge of the model’s potential performance in the actual world. When compared to ordinary software systems, substantially fewer machine learning (ML) systems offer unit, integration, and regression tests as part of a continuous deployment strategy. To make sure that the models are of high quality, organizations should create their own evaluation tasks that can be incorporated into a testing suite. Additionally, an internal control that cannot be readily “gamed” is made possible by using a common set of evaluation tasks completed by someone other than the model developer.
● Model Update Workflows
A clear set of organized protocols for updating any AI employed in a “high risk” use case is required. A ML model may undergo varying levels of assessment for compliance reasons depending on the type of changes that are made. Small changes to the hyper-parameters, for instance, can be regarded as safe, whereas a more than 50% increase in the size of the training dataset might cause compliance issues. Organizations should proactively create an extensive “playbook” defining which types of system updates call for alternative re-evaluation workflows and processes, despite the EU Commission’s assurances of upcoming guidance following the passage of the AI Act.
● Conformity Assessment for High Risk Use Cases
For machine learning engineers to successfully traverse the regulatory landscape, they must be aware of the critical elements of compliance assessments. Organizations and service providers must set up a strong quality management system that includes a variety of components for internal assessments, such as thorough risk management, vigilant post-market monitoring, effective incident reporting processes (including data breaches and system malfunctions), and the capacity to recognize risks that weren’t previously known. The management of data should also have strict testing and validation methods in place. Similar to other industries like medical devices or food goods, it may occasionally be essential to seek independent third-party assessments in order to gain a certification that certifies the AI system’s adherence to regulatory norms.
A huge change is coming for machine learning experts thanks to the AI Act, a significant advancement in the regulatory environment for AI. Even though there are still some questions about the ultimate form of the AI Act, it is critical for AI developers and businesses to actively get ready for the coming legal obligations. AI developers may manage the shifting landscape with greater clarity and adaptability by remaining educated, participating in industry debates, and working with legal and regulatory professionals.
In order to ensure successful compliance with the AI Act and develop confidence in AI systems, it will be crucial to adopt responsible AI governance practices, put in place rigorous conformity assessment procedures, and cultivate a culture of transparency and accountability. A future in which AI is implemented responsibly, ethically, and with the utmost concern for the broader social impact will be shaped by AI engineers as the regulatory landscape continues to change.
