Impact of the EU AI Act on Cybersecurity and Privacy Teams
The EU AI Act represents a significant regulatory shift, setting new standards for the development, deployment, and use of artificial intelligence within the European Union. This legislation has far-reaching implications for various functions, especially for cybersecurity and privacy teams. This article explores critical areas where these teams must focus to ensure compliance and leverage the opportunities presented by the EU AI Act.
Governance
Many organizations still need to establish multi-stakeholder, cross-functional collaboration for tasks related to EU AI Act compliance, including governance, risk management, and security. Managing AI risks alone requires specialized knowledge in security, privacy, compliance, ethics, and more. Cybersecurity and privacy teams need to proactively establish such collaborations to ensure their participation in the right discussions at the right time. This proactive approach is essential to integrate cybersecurity and privacy considerations from the outset and align with broader organizational goals.
Visibility
In a world where large corporations are unaware of the existence of entire data centers, ensuring visibility into all AI systems developed and procured within the company is paramount. The first order of business when preparing to comply with the AI Act is to guarantee comprehensive visibility. This visibility must be translated into an inventory process. Adapting procurement processes to support such inventory will streamline compliance efforts. For cyber teams, this includes all cybersecurity tooling, even if AI is only used for marketing purposes. Ensuring visibility and establishing inventory processes will enable advanced preparation, such as execution of time-consuming activities, even as companies await further guidance on compliance requirements.
Explainable AI
In all regulations, privacy teams should ensure that AI tools and algorithms are as clear and transparent as possible, making them at least explainable. Explainable artificial intelligence means the reasoning behind a decision should be clear enough for its human users to understand. Transparency is achieved through documenting assumptions and through the logic behind the machine learning model. This helps to avoid the “black box” challenge, where the internal mechanics of the AI are unclear or even hidden. Keeping AI explainable does not mean it will be free from errors or bias; it merely means that the assumptions made during the creation of the tool or algorithm can be explained. Having well-documented information on the machine learning model, including its input, expected output, and intended purposes, will support stakeholders and users to trust and use it.
Guidelines for Estimating High-Risk AI
The next step involves estimating potential high-risk AI systems by considering factors such as intended use, potential harm, and data processing involved. The challenge lies in the fact that specific guidelines for such classification are not yet public and will only be released 18 months after the EU AI Act comes into force. In the interim, organizations need to develop and apply internal criteria and frameworks to evaluate AI systems’ risk levels effectively.
Development of AI
The EU AI Act presents a golden opportunity for cybersecurity and privacy teams to become key partners in the development of AI systems. These systems, often seen as innovation playgrounds, frequently bypass best practices from software development, including security controls. The regulation raises awareness about the necessity of integrating security controls from the design stage and emphasizes the importance of involving cybersecurity teams as stakeholders. This provides an additional opportunity for cybersecurity teams to invest in educating stakeholders on necessary controls and measures ahead of the game. As a privacy team, it is important to ensure that these integrations are not only compliant with regulatory requirements but also go beyond the highest standards of data protection and user privacy, safeguarding against potential legal liabilities and reputational risks.
Deployment of AI
Even if a company is not developing AI systems but merely uses them, it must still fulfill several obligations. A critically important obligation is to prove that the company used the high-risk AI system in accordance with the provider’s instructions in cases of potential liability. Companies using AI systems, estimated to be high-risk, must ensure they have robust agreements with vendors. Further obligations include requirements to provide human oversight and monitor the input data and system operation.
For cybersecurity teams, the requirement for AI users means they need to start estimating the risks associated with deployed AI systems, such as User and Entity Behavior Analytics (UEBA), within their practice. Teams should initiate discussions with vendors where necessary and assess the potential impact on architecture and roadmaps.
Privacy teams can consider implementing privacy-by-design principles and conducting regular privacy impact assessments (PIA) to identify and mitigate potential risks to individuals’ data privacy.
Conclusion
The EU AI Act imposes new challenges and responsibilities on organizations, especially their cybersecurity and privacy teams, and also offers significant opportunities. By establishing robust governance, ensuring visibility, and proactively preparing and managing high-risk AI systems, cybersecurity teams can not only comply with the new regulations but also seize the opportunity to become integral to AI development and deployment processes. Taking early and decisive action in these areas is the key to successfully navigating AI regulatory requirements. For privacy teams, ensuring the AI is explainable, adding privacy-by-design principles, and conducting regular privacy impact assessments to comply is essential.
