A Practical Guide to Identifying ‘AI Systems’ for the EU AI Act

‘AI systems’ are the defined concept in AI laws, standards and frameworks in the EU and US. However, the definitions of ‘AI system’ do not provide clear guidance to practitioners on how to interpret the definition.

The EU AI Act defines AI system as:

“a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments”

‍

Is an AI system different from an AI use case?

AI systems can include multiple AI models, datasets and non-AI technology elements that achieve specific tasks. Additionally, AI systems are distinct from AI use cases, since an AI system can achieve the same task in different use cases, giving rise to different risks.

For example, an AI system that uses multiple computer vision models, datasets and non-AI technology elements to identify sports equipment in videos can be used to provide commentary on sporting events or to identify sports equipment at the check-in line at airports to alert customer service representatives. Each of these use cases would entail different risks.

‍

Is an AI system a platform, product, or service?

Given the EU AI Act’s definition of AI system (based on the OECD’s definition and roughly aligned with those in the NIST AI RMF and the Colorado AI Act), practitioners often struggle to delineate the boundaries of an AI system. It could describe a platform (a technology environment in which people can achieve certain tasks – for example, an internal instance of GPT-4 to help employees develop applications), a product (for example, a smart hearing device for seniors), or a service (for example, a recommender system for which videos to watch next).

‍

Can two AI systems share many of the same components?

Digitally-mature businesses often maintain important centralized datasets that can be used by different teams in different ways. These businesses will often have multiple AI systems that draw upon the same datasets or models. Practitioners at these businesses may find it challenging to develop compliance documentation at the AI system level given the significant overlaps in components of different AI systems.

‍

‍

How businesses can get started

Adopt a definition of AI system:

Businesses should adopt a definition of ‘AI system’ internally, based on the jurisdictions they operate in. For example, a business primarily focused on the EU could internally use the EU AI Act’s definition of AI system and ensure that it is reflected in associated internal policies, such as those related to privacy, data governance, information security and risk management.

Inventory AI systems with many users, sensitive uses and clearer AI elements:

‍Creating an AI inventory will be necessary for compliance going forward. However, developing an inventory of all AI systems within a business is a daunting task. Practitioners can first inventory AI systems that have many users, sensitive uses (such as employment, educational, health, or financial) and clear AI elements (such as machine learning and generative AI systems), before moving on to other AI systems.

Leverage software and automation:

‍Tracking the relationships between AI systems, models, datasets and use cases and developing compliance documentation requires fit-for-purpose tooling. Enzai helps businesses import information at the AI system, model, dataset and use case level and seamlessly generate compliance documentation at the AI system level. It also provides enterprise-level AI risk dashboards, gap analyses to different jurisdictions and automated report generation.

Enzai is here to help

Enzai’s product can help your company align with the EU AI Act, the Colorado AI Act, the NIST AI RMF, ISO/IEC 42001 and other global regulatory and assurance regimes. To learn more, get in touch here.