(Continued from previous article: Impact of EU AI Act on India)
EU AI Act expects that “Providers”, “Deployers” and other “Trade intermediaries” shall be bound by the law (Effective from 2026).
The compliance to EU-AI act starts with flagging a “Product” or “Service” as “AI Product/Service”. Hence the definition of what constitutes an “AI System” becomes key to the compliance.
According to Article 3(1)
‘AI system‘ is a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;
Though the compliance is based on the “Risk Assessment”, the applicability at the foundation stage is guided by this definition. (Other aspects of applicability are who is the user and where it is being used).
The ISO 420o1 is made applicable to an “AI management system” (AIMS) but does not clearly define how an organization can identify which part of its business is AI and which is not. It adopts ISO/IEC 22989:2022 for definition which vaguely defines Artificial intelligence as
“an engineered system set of methods or automated entities that together build, optimize and apply a physical, mathematical, or otherwise logical representation of a system, entity, phenomenon, process or data so that the system can, for a given set of predefined tasks compute predictions, recommendations, or decisions”.
It is important for us to realize that at the umbrella level, all software systems are “Intelligent”. But the intelligence of a software system is limited to the instructions already embedded as the “Code”. The software therefore is a faithful servant that remembers the instructions and executes it based on the context.
An AI is a special software which has two key characteristics namely “Autonomy” and “Adaptiveness” as stated in the EU-AI definition. The ISO 42001 definition only speaks of “Predictions” and “Decisions” as terms that can be attributed to the nature of AI as different from other software.
In contrast the definitions arising from organizations like UNESCO which focus on the impact of AI on people recommend that
“AI systems are systems which have the capacity to process data and information in a way that resembles intelligent behaviour, and typically includes aspects of reasoning, learning, perception, prediction, planning or control.”
Taking these three definitions into consideration DGPSI adopts the following definition for AI.
Definition of AI under DGPSI
AI is a class of automated data processing system where the human intervention in decision output and application of decision to a business decision is below an acceptable threshold.
In order to define the threshold, three classes of AI are recognized as part of the definition.
Class 1:
Any software that has a Code correcting ability without the intervention of a human developer to generate an output is considered as an AI system-Class 1.
Class 2:
Any AI system that automatically implements a decision affecting a human is considered as AI system- Class 2
Class 3:
Any system that reacts to the human emotions, capable of creative outputs, including generative AI and is considered as AI system- Class 3
This definition includes the “Autonomy” and “Adaptiveness” of the EU-AI act and “Predictiveness” , “Automated decision making” in the ISO 42001 and the “Human like behaviour” of the UNESCO definition. The sub classifications also take into account the “Risk Perceptions” such as “Unsupervised Machine Learning”, “Bias in automated decision making” and “Hallucination and rogue behaviour”.
The first task of compliance is therefore to label a software system as “AI System” using this definition.
PS:
Under DGPSI (Digital Governance and Protection Standard of India) we define the DGPMS (Digital Governance and Protection Management System) and apply “Compliance By Design” principles.
The DGPMS is an integration of PIMS, ISMS (Personal Data Processing) and AIMS (personal data processing).
The AIMS under DGPMS is a sub system which is either a Joint Data Fiduciary or a Data Processor and compliance requirements are designed accordingly.
Comments are welcome.
Naavi