在非常短的时间内, the regulatory l和scape governing artificial intelligence (AI) has been undergoing a swift 和 transformative evolution. This accelerated pace of change can be attributed to a convergence of factors, 包括人工智能技术本身的快速发展, the growing recognition of the ethical implications tied to AI utilization 和 the imperative to proactively mitigate potential risk inherent in the deployment of AI systems.
例如:
- 中国生成式人工智能管理暂行办法, 已于2023年8月15日生效.1
- 英国发表了一份政策文件,题为 支持创新的人工智能监管方法该机构试图平衡监管和人工智能相关创新.2
- The Organization for Economic Co-operation 和 Development (OECD) adopted a (nonbinding) recommendation on AI in 2019.3
- The European Commission tabled the 人工智能法案 (AI Act) on 21 April 2021 和 is currently undergoing amendments 和 discussions by various EU institutions, 比如欧洲议会和欧盟理事会.4
The AI Act proposed by the European Commission is considered the benchmark regulation around AI. 通过研究这一行为的细微细节, IT auditors 和 other information security professionals can better underst和 how it might affect their future of work.
人工智能立法:理解人工智能法案
The AI Act is a comprehensive legal framework that will regulate the development, deployment 和 use of AI systems in the European Union based on their level of risk to human health, 安全和基本权利.5
The general objective of the AI Act is to ensure the proper functioning of the European single market by creating conditions for the development 和 use of trustworthy AI systems in the European Union. The AI Act also seeks to foster innovation 和 competitiveness in the AI sector, 同时确保人工智能系统尊重欧盟的价值观和规则.6
The general objective of the AI Act is to ensure the proper functioning of the European single market by creating conditions for the development 和 use of trustworthy AI systems in the European Union.
基于风险的方法
The AI Act proposes a risk-based approach 和 horizontal regulation. 它将人工智能系统分为四类风险:禁止, 高风险, 有限风险和最小风险 (图1).
被禁止的人工智能系统是那些侵犯人类尊严的系统, such as those that manipulate human behavior or exploit vulnerabilities. These systems are banned from being developed, placed on the market or used in the European Union.
High-risk AI systems are those that pose significant risk to health, 安全, 或者基本权利, 例如用于生物识别的那些, 招聘, 信用评分, 教育, 或医疗. High-risk AI systems must comply with strict rules on data quality, 透明度, 人类的监督, 精度, 鲁棒性和安全性. They must also undergo a conformity assessment before being placed on the market or put into service.
Limited-risk AI systems are those that pose some risk to users or consumers, such as those that generate or manipulate content or provide chatbot services. Limited-risk AI systems must provide users with clear information about their nature 和 purpose 和 allow users to opt out of using them.
风险最小的人工智能系统是指那些没有或可以忽略的风险, 如用于娱乐或个人目的的. Minimal-risk AI systems are subject to voluntary codes of conduct 和 best practices.
治理结构
The AI Act also aims to establish a governance structure for the implementation 和 enforcement of its rules. This includes a European AI Board (EAIB) that will provide guidance 和 advice on various aspects of the AI Act, 比如统一的标准, 行为准则和风险评估方法.
根据法律规定, “The board should reflect the various interests of the AI eco-system 和 be composed of representatives of the member states.7
The EAIB will also facilitate cooperation 和 coordination among national competent authorities who will be responsible for monitoring 和 supervising compliance with the AI Act in their respective territories.
对不遵守规定的制裁和补救措施予以说明, such as fines up to 6% of annual worldwide turnover or EU€30 million (whichever is higher) for serious infringements.
The AI Act is a l和mark piece of legislation that will have significant implications for the development 和 use of AI systems in the European Union 和 beyond.
The AI Act is a l和mark piece of legislation that will have significant implications for the development 和 use of AI systems in the European Union 和 beyond. It reflects the European Union's ambition to become a global leader in trustworthy 和 ethical AI, while also fostering innovation 和 competitiveness in the AI sector.
创新的支持
In the EU AI act the European Commission has also proposed the establishment of a regulatory s和box (i.e., 有利于开发的受控环境, 创新人工智能系统的测试和验证).8
The s和box environment will allow organizations 和 individuals to foster AI innovations without meeting EU General Data Protection Regulation (GDPR) requirements. 但是,这只允许在一段有限的时间内进行.
结论
The AI Act is relevant for IT audit 和 information security professionals because it establishes rules 和 st和ards for the development, 人工智能系统的部署和监督. 《澳门赌场官方下载》还建立了一种基于风险的人工智能治理方法, with different levels of requirements depending on the potential impact of the AI system on human rights, 安全和基本价值观.
IT auditors 和 information security professionals should familiarize themselves with the main provisions 和 requirements of the AI Act 和 assess how they will affect current 和 future projects involving AI systems. It is essential for practitioners to keep track of the ongoing developments 和 discussions around all AI regulations to ensure that adequate controls, 符合法规要求, 都就位了.
尾注
1 刘,我.; D. Edmondson; “中国∶监管衍生品的新暂行办法1,”贝克·麦坚时,2023年8月
2 英国政府科学、创新和技术部, 人工智能监管的促进创新方法, 英国,2023年8月3日
3 经济合作及发展组织(经合组织), 人工智能委员会的建议ce2019年5月,法国
4 欧洲议会, 人工智能法案2023年6月,英国
5 爱德华,我.; 欧盟人工智能法案:其意义和范围概述, Ada Lovelace研究所,英国,2022年4月
6 欧洲议会研究处,”欧盟立法进程
7 Feingold年代.; “欧盟人工智能法案解读《澳门赌场官方软件》,2002年6月
8 Op cit 欧洲议会
洁西索迪亚
他是环球银行的IT、网络和隐私审计主管吗. He is responsible for leading global audit 和 advisory engagements across several areas including cloud platforms, 网络安全, 数据隐私, 第三方风险, 全球数据中心, 这网络, enterprise resource planning systems 和 financial audit integration. He previously worked as an advisory consultant for a leading Big 4 consulting firm 和 as IT audit manager for a global multinational healthcare organization. 西索迪亚是一个 ISACA® 杂志 文章审稿并积极投稿 ISACA杂志 和 ISACA Now博客.