在非常短的时间内, the regulatory landscape governing artificial intelligence (AI) has been undergoing a swift and transformative evolution. This accelerated pace of change can be attributed to a convergence of factors, 包括人工智能技术本身的快速发展, the growing recognition of the ethical implications tied to AI utilization and the imperative to proactively mitigate potential risk inherent in the deployment of AI systems.
For example:
- 中国生成式人工智能管理暂行办法, 已于2023年8月15日生效.1
- 英国发表了一份政策文件,题为 支持创新的人工智能监管方法该机构试图平衡监管和人工智能相关创新.2
- The Organization for Economic Co-operation and Development (OECD) adopted a (nonbinding) recommendation on AI in 2019.3
- The European Commission tabled the 人工智能法案 (AI Act) on 21 April 2021 and is currently undergoing amendments and discussions by various EU institutions, 比如欧洲议会和欧盟理事会.4
The AI Act proposed by the European Commission is considered the benchmark regulation around AI. 通过研究这一行为的细微细节, IT auditors and other information security professionals can better understand how it might affect their future of work.
人工智能立法:理解人工智能法案
The AI Act is a comprehensive legal framework that will regulate the development, deployment and use of AI systems in the European Union based on their level of risk to human health, 安全和基本权利.5
The general objective of the AI Act is to ensure the proper functioning of the European single market by creating conditions for the development and use of trustworthy AI systems in the European Union. The AI Act also seeks to foster innovation and competitiveness in the AI sector, 同时确保人工智能系统尊重欧盟的价值观和规则.6
The general objective of the AI Act is to ensure the proper functioning of the European single market by creating conditions for the development and use of trustworthy AI systems in the European Union.
Risk-Based Approach
The AI Act proposes a risk-based approach and horizontal regulation. 它将人工智能系统分为四类风险:禁止, high-risk, 有限风险和最小风险 (figure 1).
被禁止的人工智能系统是那些侵犯人类尊严的系统, such as those that manipulate human behavior or exploit vulnerabilities. These systems are banned from being developed, placed on the market or used in the European Union.
High-risk AI systems are those that pose significant risk to health, safety, 或者基本权利, 例如用于生物识别的那些, recruitment, credit scoring, education, or healthcare. High-risk AI systems must comply with strict rules on data quality, transparency, human oversight, accuracy, 鲁棒性和安全性. They must also undergo a conformity assessment before being placed on the market or put into service.
Limited-risk AI systems are those that pose some risk to users or consumers, such as those that generate or manipulate content or provide chatbot services. Limited-risk AI systems must provide users with clear information about their nature and purpose and allow users to opt out of using them.
风险最小的人工智能系统是指那些没有或可以忽略的风险, 如用于娱乐或个人目的的. Minimal-risk AI systems are subject to voluntary codes of conduct and best practices.
治理结构
The AI Act also aims to establish a governance structure for the implementation and enforcement of its rules. This includes a European AI Board (EAIB) that will provide guidance and advice on various aspects of the AI Act, 比如统一的标准, 行为准则和风险评估方法.
根据法律规定, “The board should reflect the various interests of the AI eco-system and be composed of representatives of the member states.7
The EAIB will also facilitate cooperation and coordination among national competent authorities who will be responsible for monitoring and supervising compliance with the AI Act in their respective territories.
对不遵守规定的制裁和补救措施予以说明, such as fines up to 6% of annual worldwide turnover or EU€30 million (whichever is higher) for serious infringements.
The AI Act is a landmark piece of legislation that will have significant implications for the development and use of AI systems in the European Union and beyond.
The AI Act is a landmark piece of legislation that will have significant implications for the development and use of AI systems in the European Union and beyond. It reflects the European Union's ambition to become a global leader in trustworthy and ethical AI, while also fostering innovation and competitiveness in the AI sector.
Innovation Support
In the EU AI act the European Commission has also proposed the establishment of a regulatory sandbox (i.e., 有利于开发的受控环境, 创新人工智能系统的测试和验证).8
The sandbox environment will allow organizations and individuals to foster AI innovations without meeting EU General Data Protection Regulation (GDPR) requirements. 但是,这只允许在一段有限的时间内进行.
Conclusion
The AI Act is relevant for IT audit and information security professionals because it establishes rules and standards for the development, 人工智能系统的部署和监督. 《澳门赌场官方软件》还建立了一种基于风险的人工智能治理方法, with different levels of requirements depending on the potential impact of the AI system on human rights, 安全和基本价值观.
IT auditors and information security professionals should familiarize themselves with the main provisions and requirements of the AI Act and assess how they will affect current and future projects involving AI systems. It is essential for practitioners to keep track of the ongoing developments and discussions around all AI regulations to ensure that adequate controls, 符合法规要求, are in place.
Endnotes
1 Liu, I.; D. Edmondson; “中国∶监管衍生品的新暂行办法1,”贝克·麦坚时,2023年8月
2 英国政府科学、创新和技术部, 人工智能监管的促进创新方法, UK, 3 August 2023
3 经济合作及发展组织(经合组织), 人工智能委员会的建议ce, France, May 2019
4 European Parliament, 人工智能法案, UK, June 2023
5 Edwards, L.; 欧盟人工智能法案:其意义和范围概述, Ada Lovelace研究所,英国,2022年4月
6 欧洲议会研究处,”欧盟立法进程
7 Feingold, S.; “欧盟人工智能法案解读《澳门赌场官方软件》,2002年6月
8 Op cit European Parliament
Jai Sisodia
他是环球银行的IT、网络和隐私审计主管吗. He is responsible for leading global audit and advisory engagements across several areas including cloud platforms, cybersecurity, data privacy, third party risk, global data centers, IT networks, enterprise resource planning systems and financial audit integration. He previously worked as an advisory consultant for a leading Big 4 consulting firm and as IT audit manager for a global multinational healthcare organization. Sisodia has been an ISACA® Journal 文章审稿并积极投稿 ISACA Journal and ISACA Now Blog.