European Union negotiators reached political agreement on the AI Act on 8 December 2023, concluding trilogue negotiations that had been running since June 2023. The final text requires formal approval by the European Parliament and the Council, which is expected in early 2024, before formal publication and the beginning of the compliance timeline.<\/p>\n
For enterprise technology leaders, the political agreement is the signal that the regulatory framework is no longer a proposal that might change substantially before it applies. The core architecture of the Act, including its risk-based classification framework, the obligations for high-risk AI systems, and the prohibited practices provisions, has been settled. Planning for EU AI Act compliance can begin with the confidence that the planning will not be made obsolete by a fundamental change in the regulatory approach.<\/p>\n
The compliance timeline is graduated, with different provisions entering into force at different points following publication. Prohibited practices apply from the sixth month after entry into force. Obligations for high-risk AI systems in Annex I apply from the twelfth month. Obligations for other high-risk AI systems and general-purpose AI models apply from the twenty-fourth month. The full regulation, including all obligations, applies from the thirty-sixth month after entry into force.<\/p>\n
For an enterprise beginning compliance planning in early 2024, the practical starting point is identifying which provisions apply earliest, which AI systems in the current portfolio would be classified as prohibited or high-risk, and what the compliance requirements mean for planned AI investments.<\/p>\n
The EU AI Act classifies AI systems into four risk categories, each with different compliance obligations.<\/p>\n
Unacceptable risk AI systems are prohibited. The final political agreement’s prohibited list includes social scoring systems used by public authorities, AI systems that exploit human vulnerabilities to materially distort behaviour in harmful ways, real-time biometric identification in public spaces for law enforcement except in specifically defined circumstances, and AI systems for predictive policing based on profiling. The vast majority of enterprise AI systems are not in this category, but the compliance obligation is to verify this, not to assume it.<\/p>\n
High-risk AI systems carry the most significant compliance obligations. The high-risk classification applies to AI systems used in regulated products that require third-party conformity assessment, and to AI systems in specific use cases listed in Annex III: biometric identification and categorisation, critical infrastructure management, education and vocational training systems, employment and worker management systems that affect access to employment, essential private and public services, law enforcement, migration and asylum systems, and administration of justice and democratic processes.<\/p>\n
Enterprise organisations operating AI systems in these categories, which includes AI-assisted hiring systems, credit scoring systems, AI-assisted medical devices, and AI systems affecting access to public services, face substantial compliance obligations: registration in the EU database, technical documentation, conformity assessment, human oversight mechanisms, transparency requirements, and accuracy and robustness standards.<\/p>\n
Limited risk AI systems, including chatbots and deepfake generators, face transparency obligations: users must be informed when they are interacting with an AI system and when they are viewing AI-generated content.<\/p>\n
Minimal risk systems face no specific compliance obligations under the Act.<\/p>\n
The Act’s risk classification has direct implications for how enterprises should approach AI investment in 2024.<\/p>\n
For enterprises with AI systems currently in development that would be classified as high-risk under Annex III, the compliance obligations need to be incorporated into the development specification. The technical documentation requirements, the logging and monitoring requirements, the human oversight design, and the conformity assessment process all affect system architecture and must be addressed before deployment rather than after. Retrofitting compliance onto a deployed high-risk AI system is significantly more expensive and disruptive than building compliance in from the start.<\/p>\n
For enterprises procuring AI systems from third-party vendors, the Act creates vendor assessment requirements. Providers of high-risk AI systems must provide technical documentation, a declaration of conformity, and ongoing incident reporting. Procurement of high-risk AI systems should include verification that the provider meets these obligations, which in practice requires adding AI Act compliance to vendor security and compliance assessment frameworks.<\/p>\n
For enterprises planning new AI investments, the risk classification should be part of the use case assessment that precedes investment approval. A use case that would result in a high-risk AI system carries compliance costs and timeline implications that should be factored into the investment case. In some cases, the compliance requirements may change the scope or architecture of the AI system to avoid classification as high-risk while preserving the core business value.<\/p>\n
One of the most significant additions to the AI Act in the trilogue negotiations was the inclusion of specific provisions for general-purpose AI models, the foundation models like GPT-4 and Claude that are deployed through APIs by enterprise customers building AI applications.<\/p>\n
Providers of general-purpose AI models face obligations for technical documentation, transparency about training data, and compliance with EU copyright law. Providers of very large models that could pose systemic risk face additional requirements including adversarial testing and reporting obligations.<\/p>\n
For enterprise customers using general-purpose AI models through APIs rather than deploying models themselves, the implications are less direct but not insignificant. The compliance status of the model provider under the AI Act affects the risk profile of using their models. Enterprise customers integrating AI Act-regulated models into high-risk AI systems inherit compliance obligations around the model component of their system. And the transparency requirements for general-purpose AI models will create documentation that enterprise customers can use in their own compliance assessments.<\/p>\n
The enterprises that will be ahead on EU AI Act compliance are those that begin with an AI inventory rather than with a compliance programme. Knowing which AI systems are in development or deployment, understanding their use cases well enough to apply the risk classification framework, and identifying which systems require compliance investment before the relevant provisions apply is the foundation that makes the compliance programme tractable.<\/p>\n
The compliance programme that follows the inventory has three tracks: prohibited practice verification for all AI systems, high-risk system compliance for systems in Annex III categories, and general procurement and vendor assessment updates for AI systems procured from third parties.<\/p>\n
The December 2023 political agreement has set the rules. The question for 2024 is whether organisations act on them proactively or reactively.<\/p>\n","protected":false},"excerpt":{"rendered":"
The December 2023 political agreement on the EU AI Act sets the regulatory trajectory for AI deployment across European enterprises. The compliance timeline and the implications for AI investment deserve immediate attention.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-111","post","type-post","status-publish","format-standard","hentry","category-executive-briefings"],"_links":{"self":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=111"}],"version-history":[{"count":0,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/111\/revisions"}],"wp:attachment":[{"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}