Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

EU AI Act Introduces Unique Tiered System for Risks

Published 06/20/2024

EU AI Act Introduces Unique Tiered System for Risks

Originally published by Truyo.


With the full text of the EU AI Act made public, Truyo President Dan Clarke read through the Act in its entirety to identify key elements that will be crucial to compliance for organizations in scope. The Act includes the conventional components of transparency, privacy, education, security, non-discrimination, and risk assessment.

Where it differs from current and proposed AI legislation, according to Clarke, is in the tiered system and the different obligations for each level based on relative risk. “This comprehensive act applies to all companies utilizing or offering systems based on AI within the EU, regardless of origination or size. It is remarkably consistent with the White House executive order and subsequent blueprint for an AI bill of rights, including emphasis on safety and protection against discrimination/bias.”

Clarke posits, “From a commercial perspective, we expect the most common high-risk AI systems will be centered around education, security (facial recognition), and the employment/recruiting function, especially for multinationals based outside the EU. Unacceptable risk is centered around discrimination and bias, especially via subliminal or similar techniques applied to vulnerable or disadvantaged groups.”


Introducing a Tiered System for Unacceptable and High AI Risk

The tiered system includes unacceptable and high risk. The unacceptable risk tier effectively bans social scoring and systems employing subliminal techniques beyond an individual’s consciousness to distort behavior, causing potential physical or psychological harm. The law also forbids the use of AI systems exploiting susceptibilities associated with age or physical or mental disability, leading to harm for individuals within those specific groups.

The Act defines the following tier as high-risk and prescribes obligations for companies engaged with high-risk systems, introducing the following requirements:

  • Implementation of a risk management system
  • Data quality analysis and data governance program
  • Technical documentation
  • Record-keeping
  • Transparency and provisions of information to users
  • Human oversight
  • Accuracy, robustness, and cybersecurity

For high-risk AI systems, companies must provide users with comprehensive information about the system’s ownership, contact details, characteristics, limitations, performance metrics, and potential risks. This includes specifications for input data, changes to the system, human oversight measures, and expected lifetime with maintenance details. The development of such AI systems, especially those using model training, demands strict adherence to guidelines for quality datasets, considering design choices, biases, and specific user characteristics.

This demand for greater transparency and human oversight aims to enable users to understand and utilize outputs appropriately, with technical solutions required to address exposures like data poisoning and adversarial examples. “This regulation is a significant step, and I think most importantly launches terms like ‘responsible AI’ and ‘trustworthy AI’ to the front of our discussion. This is the true beginning of regulated AI governance,” says Clarke.


Ethical Principles Outlined in the EU AI Act

The EU AI Act emphasizes several ethical principles that align with its objectives and regulations. These principles are crucial for ensuring the responsible development, deployment, and use of AI systems. The key ethical principles compatible with the EU AI Act include:

  • Respect for Human Autonomy: Ensuring AI systems support human decision-making without undermining human agency and the ability to make choices freely and independently.
  • Prevention of Harm: Prioritizing the safety and security of AI systems to prevent physical, psychological, and financial harm to individuals and society.
  • Fairness and Non-Discrimination: Designing and operating AI systems in a way that prevents bias and discrimination, ensuring equitable treatment and outcomes for all users.
  • Transparency and Explainability: AI systems should be transparent, with decisions made by these systems being understandable and explainable to users and affected parties.
  • Privacy and Data Governance: Upholding high standards of data protection and privacy, ensuring the confidentiality and integrity of personal data processed by AI systems.
  • Societal and Environmental Well-being: Ensuring the development and use of AI contributes positively to societal progress and environmental sustainability.
  • Accountability: Establishing clear responsibilities for AI system developers, deployers, and operators to ensure they can be held accountable for the functioning and impacts of these systems.

These core principles reflect the EU AI Act’s commitment to fostering an AI ecosystem that is safe, trustworthy, and respects the fundamental rights and values of consumers. Click here to subscribe to Truyo’s AI Newsletter to get the latest on AI governance recommendations and regulatory updates.



About the Author

Dan Clarke is a former Intel® executive with numerous leaderhip roles who was
pulled into the privacy space after a call from Intel® anticipating GDPR’s implementation. Dan’s privacy expertise comes from developing the Truyo platform, which automates compliance with current and emerging privacy laws for enterprise-level companies. Clarke is a privacy thought leader involved in Arizona, Texas, and federal privacy legislation. Dan helped Truyo step into the AI Governance realm by developing the first comprehensive AI Governance Platform and creating a 5 Steps to Defensible AI Governance workshop that's been conducted with enterprise companies across the United States.

Share this content on your favorite social network today!