EU AI Act Enters Enforcement Phase, Deadline Looms

- The EU AI Act categorizes AI systems into four tiers of risk: unacceptable, high, limited, and minimal. Prohibited practices include social scoring, real-time biometric identification in public spaces (with narrow exceptions), and manipulative AI that could cause harm. - General-purpose AI (GPAI) models face a separate two-tiered system. Models deemed to have "systemic risk," a classification presumed when the training computation exceeds 10^25 FLOPs, face stricter obligations, including thorough model evaluations, adversarial testing, cybersecurity measures, and reporting serious incidents to the EU AI Office. - The newly formed European AI Office, housed within the European Commission, holds exclusive power to enforce the rules for general-purpose AI models. This body is responsible for developing evaluation benchmarks, facilitating codes of practice, and can request information, conduct evaluations, and impose sanctions. - For providers of high-risk AI systems, the Act mandates the implementation of a continuous risk management system throughout the AI's lifecycle. This includes obligations around data governance to ensure training data quality, detailed technical documentation, automatic event logging, and ensuring robust human oversight capabilities. - Downstream providers who integrate a GPAI model into their own high-risk AI system are also subject to the Act's requirements. Developers of GPAI models must provide technical documentation to help these downstream companies comply with the regulations. - The legislation has extraterritorial reach, applying to any company providing AI systems or their outputs for use within the EU, regardless of where the company is based. This establishes a global precedent, contrasting with the state-controlled approach in China and the more market-driven, fragmented landscape in the United States.