The countdown to full enforcement of the European Union’s AI Act continues its steady march forward. The first rules of the act, including prohibitions on unacceptable use cases and AI literacy obligations, started to apply last month.
The EU AI Act will go into effect for most organizations next August with enforcement beginning the following year. Most businesses are already behind the curve, according to experts.
“The state of readiness is not great,” Gartner VP Analyst Nader Henein told CIO Dive. “They’re still trying to figure it out.”
CIOs and technology leaders have a vital role to play in guiding their organizations’ compliance journey, from keeping up with evolving requirements to vendor management and risk assessment.
Noncompliant companies risk fines of up to $37.9 million (35 million euros) depending on the gravity and duration of the infringement, according to the EU. Supplying enforcers with incomplete or misleading information carries a penalty of up to $8.1 million (7.5 million euros). The rules apply to businesses operating and serving customers in the EU, regardless of where they’re headquartered.
“Compliance is often seen as a nuisance,” Stijn Christiaens, cofounder and chief data citizen at Collibra, said.
Organizations that focus on checking off boxes will likely run into problems. “It might keep the regulator at bay, but it doesn’t fully work in practice,” Christiaens said.
Where to start
The majority of the provisions in the act will not fully kick in for more than a year, but organizations shouldn’t take a wait-and-see approach, experts told CIO Dive.
“The [General Data Protection Regulation] came into effect all in one big chunk,” Henein said. “The downside of that is most organizations only really started paying attention in the last three months … it became a mad rush to try to put something together.”
Most organizations failed to meet GDPR compliance requirements, leading data privacy watchdogs to dole out fines of around $123 million (114 million euros) in less than two years, CIO Dive reported at the time.
CIOs can help their organizations get on track for EU AI Act enforcement if efforts aren’t already underway.
“If you start now, I wouldn’t say you are too late, but you already have to speed up the process a little bit,” said Saskia Vermeer-de Jongh, Partner, AI and Digital Law Leader, HVG Law
Experts recommend organizations begin by:
- Cataloging AI uses
- Organizing a compliance team
- Creating an AI literacy initiative
Christiaens said identifying each instance of AI is the first step in knowing whether a company’s use falls under the EU’s prohibited list.
“This is where many of the [large organizations] have started,” Christiaens said.
AI is commonly implemented all across a business, pushing technology leaders to connect with stakeholders in different departments for an accurate view. The need for collaboration has led organizations to create multidisciplinary teams to ensure shared accountability.
“The main discussion I’ve had for the last six months with all of my clients, whether it’s a big company, financial company, tech company or a smaller company, [was] who should be at the table,” Vermeer-de Jongh said. Groups can include legal departments, CISOs, technical professionals and heads of data.
Internal compliance watchdog groups can help break down silos and facilitate progress toward reaching other AI Act targets, such as having an AI literacy initiative. The EU created a living repository of how organizations are addressing the literacy provision last month.
Vendor management
As enterprises work on their compliance plans, vendor outreach is key.
More companies developed generative AI tools in-house last year than the year before, but most AI use is still sourced via vendors, according to a Menlo Ventures survey of 600 enterprise IT decision-makers.
“If two years ago a vendor didn’t have AI capabilities in their product, they have them now and they have many now,” Henein said. “It's a problem, because every time they add a feature, it's another line item that companies have to track.”
CIOs have already voiced concerns around AI washing and vendor-led AI hype. Now they have another reason to stay wary of an abundance of new features: compliance complexity.
“You can’t just assess a product, you have to assess the individual features in a product,” Henein said. “You can’t do that without support from the vendor. Very few vendors have provided lists with all of the AI systems in their products.”
Businesses will also need to think twice about upgrade settings. Compliance gaps can run amuck if vendors automatically turn on AI features without approval.
Ensuring vendors have features disabled by default is critical. CIOs should push back on vendors that try to dissuade them.
“A lot of vendors got on top of the hype train and launched dozens of features that are not very valuable,” Henein said. AI regulation, and in particular the AI Act, could “cut down on a lot of the AI garbage that’s out there,” he added.
Keep up
Once enterprises get on track, the focus turns to keeping up.
Experts recommend organizations create an internal timeline of key milestones and set up a system to track other regulatory developments.
Some vendors and organizations are positioning themselves to assist companies in getting on track and staying there. In January, Collibra launched an EU AI Act assessment tool. University of Oxford researchers created capAI, a platform to conduct conformity assessments of AI systems in accordance with the EU AI Act. PwC also has an EU AI Act compliance tool.
“It’s not a one-off activity,” Vermeer-de Jongh said. “You need to monitor, stay up to date and make sure you have a process in place.”
Maintaining compliance with AI rules is certainly not going to get any easier, emphasizing the need for accountability and governance.
While the U.S. is promoting a deregulation approach to AI at the federal level, states are stepping in to fill the gaps, leading to an ever-evolving patchwork of rules. Enterprises that prioritize compliance and transparency are likely to find themselves in a better position than those that fall behind.
“If you have proper processes in place to deal with your data, if you have proper responsibilities in place, then you have a lot of the groundwork already done for whatever regulation or rules comes next in your geography,” Christiaens said.
