Understanding the EU AI Act: a strategic imperative

Effective AI governance is essential to mitigate risks, protect individual rights, and promote public trust in AI systems. It encompasses various dimensions, including transparency, accountability, fairness, and security. The Act categorizes AI systems into four risk levels. Each category is subject to different regulatory requirements, with the most stringent measures applied to high-risk AI systems.

Practical Scenario: Consider a company developing an AI recruitment tool that faces allegations of bias due to poor data practices – e.g., it was trained on past hiring data that favored a particular demographic, like candidates from certain universities. Because of this, the system automatically filters out resumes of candidates from certain backgrounds, even though they are highly qualified, resulting in a shrinking talent pool, legal and reputation risks (e.g., discrimination lawsuits and bad press), and lack of innovation (e.g., a homogenous team leads to weaker problem-solving). These serious issues could have been avoided with strong governance.

To share a real-life example, take the case of the National Health Service (NHS), in the UK, where an AI system shared patient data without consent back in 2015, resulting in legal and ethical concerns, and eventually legal action.

The EU AI Act lays out the following foundational pillars, to help organizations using AI avoid situations like the above:
• Prohibition of Unacceptable AI Practices: AI systems that pose a clear threat to safety, livelihoods, and rights are banned. This includes AI systems that manipulate human behavior or exploit vulnerabilities.
• Regulation of High-Risk AI Systems: High-risk AI systems, such as those used in critical infrastructure, education, employment, and law enforcement, must comply with strict requirements related to data quality, transparency, and human oversight.
• Transparency Obligations: AI systems interacting with humans, generating deepfakes, or used for biometric identification must disclose their nature to users.
• Governance and Enforcement: The Act establishes national supervisory authorities and a European Artificial Intelligence Board to ensure compliance and enforcement.

Businesses developing or deploying high-risk AI must maintain detailed technical documentation, ensure traceability of data used for AI training and testing, and conduct conformity assessments before deployment.

The cornerstone of compliance: the unavoidable importance of data management

At the cornerstone of AI compliance is the reliance on data, making effective data management indispensable for compliance with the EU AI Act. In what ways is data essential in AI management?
1. Data Quality and Integrity: High-quality, accurate, and unbiased data is essential for training reliable AI models.
2. Data Privacy and Security: Compliance with data protection regulations, such as the General Data Protection Regulation (GDPR), is paramount. Organizations must adopt measures to protect personal data and ensure data security.
3. Data Transparency and Accountability: Transparent data practices and clear documentation are critical for accountability. Organizations should maintain detailed records of data sources, processing methods, and AI model performance.
4. Ethical Data Use: Ethical considerations should guide data collection, processing, and usage. Organizations must avoid biases, discrimination, and unfair practices in their AI systems.

Practical Scenario: A company discovers inconsistencies in its data governance during an audit, delaying a new AI product launch – e.g., imagine an e-commerce company developing an AI-powered pricing system realizing that the AI system was trained on scraped competitor pricing data (violating antitrust regulations), and customer purchase history data without obtaining explicit user consent. Early investment in governance could have prevented these unnecessary roadblocks.

To look at a real-life example, EY recently assisted a public services organization in defining a robust operating model for its AI program, enhancing data quality and accountability in order to streamline product development, reduce compliance risks, and accelerate time-to-market for innovative AI solutions.

Preparing for today and for the future: key actions for businesses

As the EU AI Act paves the way for a regulated AI landscape, it’s crucial for European businesses to prepare for compliance. Proactive steps will not only help avoid penalties but also enable organizations to leverage AI ethically and responsibly, ensuring a competitive edge in the future.

Timeline

 

 

 

 

 

 

 

 

 

Ideas for effective AI governance

What are some of the basic steps firms can take to kickstart their journey to AI Act compliance?

Conduct a Comprehensive AI Assessment:
• Key Points: Assess all AI systems currently in use within the organization to determine their risk levels according to EU AI Act risk categories.
• Measures: Create an inventory of AI systems, classify them by risk level, and evaluate their compliance with the Act’s requirements.
• Ideas: Automate the AI assessment process and identify potential gaps.

Implement Robust Data Governance Frameworks:
• Key Points: Always underestimated, establish policies and procedures for data management, ensuring data quality, integrity, and security of data used by AI.
• Measures: Develop data governance policies, appoint data stewards, and implement data quality controls.
• Ideas: Centralize data governance activities for AI systems and ensure consistency across the organization.

Define and Invest in AI Ethics and Compliance Training:
• Key Points: Define AI ethics principles and provide AI literacy programs for employees to raise awareness about AI ethics, compliance requirements, and responsible AI practices.
• Measures: Create a repository of AI ethics principles to be used across the organization and develop training modules on AI ethics, the EU AI Act, and data protection regulations.
• Ideas: Create interactive workshops and e-learning courses to engage employees and reinforce key concepts.

Case study: How has EY helped firms with their compliance journey

The above are just a few steps. But how do you enhance transparency and accountability? Are your policies, procedures, standards, and guidelines compliant?
As AI technologies become integral to organizational operations, experts can ensure that AI initiatives are governed effectively and align with the EU AI Act. EY undertook the actions for an international client.

AI governance insights enablement

This process began with conducting interviews to gain in-depth insights into the program’s scope, strategy, and future plans. Following this, we facilitated an insight enablement workshop that focused on best practices in AI governance and risk management. The workshop covered critical areas such as governance design, operating model structures, intake processes, and policy formulation, providing a robust framework for effective AI governance.

AI GRC assessment

The assessment involved leveraging insights gained from AI Governance Insights to conduct a comprehensive evaluation of the client’s enterprise-level AI risk practices. This culminated in the preparation of a detailed findings and recommendation report, which offered management actionable insights and strategic guidance aimed at strengthening their AI risk framework.

Strategic opportunities for businesses

Instead of perceiving the EU AI Act as a burden, businesses can harness it as a powerful tool for gaining a competitive advantage. By committing to ethical AI practices, companies can build trust and foster stronger relationships with customers and partners. Compliance with the Act also paves the way for expansion into regulated markets where responsible AI is essential. Furthermore, the Act encourages innovation that aligns with societal expectations and regulatory standards, enabling businesses to develop AI solutions that not only meet compliance requirements but also resonate with consumers and stakeholders alike.

Conclusion

AI governance is now essential for businesses. The EU AI Act sets clear regulations, emphasizing data management to protect rights and public trust while fostering innovation. This presents both challenges and opportunities. Companies need help and advice to proactively audit systems, improve data quality, and adopt governance frameworks to turn compliance into a strategic advantage. Collaboration among policymakers, industry, and the public is crucial for navigating AI governance complexities and ensuring an ethical AI future. Compliance may seem complex, but it’s also an opportunity to innovate, lead, and thrive in a regulated world.

Download our brochure here

Authors:
Abdelhay Toudma, EY Luxembourg Partner, Consulting, Cyber and Digital Risk
Ranjit Gopalan, EY Luxembourg Senior Manager, Technology Consulting