The regulation aims to create a clear common regulatory basis for artificial intelligence systems in the EU. However, the application of the regulation raises a wide range of questions from the use of training data to security, transparency and documentation of AI.
This article attempts to briefly cover an essential element of the scope of the regulation: the definition of an AI system.
AI models and AI systems
The Regulation distinguishes between AI models and AI systems, where AI models are understood as the actual AI functionality that together with other components, such as a user interface, constitute an AI system. AI models are (typically) integrated into and form part of an AI system.
The distinction between AI models and AI systems is particularly relevant in relation to so-called general-purpose AI models. This includes models that are trained on large amounts of data and can be used, modified and customised for a wide variety of tasks. General-purpose AI models are subject to specific requirements in the regulation.
General-purpose AI models - and so-called general-purpose AI systems that utilise these models - and their specific regulation in the Regulation are not further addressed in this article. What follows concerns AI systems and their definition.
Scope of the regulation in relation to AI systems
The Regulation covers and regulates the development, distribution and use of AI systems. AI systems include IT systems used stand-alone or in conjunction with a product or solution, regardless of whether the system is integrated into the product or otherwise included in the product's functionality.
The Regulation recognises in the preamble that defining artificial intelligence can be difficult, but states in recital 12 of the preamble that:
"The notion of "AI system" in this Regulation should be clearly defined and should be closely aligned with the work of international organisations working on AI to ensure legal certainty, facilitate international convergence and wide acceptance, while providing the flexibility to accommodate the rapid technological developments in this field. Moreover, the definition should be based on key characteristics of AI systems that distinguish it from simpler traditional software systems or programming approaches, and should not cover systems that are based on the rules defined solely by natural persons to automatically execute operations. [...]"
On this basis, the Regulation defines an AI system in Article 3(1) as:
"a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments."
How to determine if it is an AI system?
Although the preamble of the Regulation intends to provide a clear definition of an AI system, the definition contains a number of criteria that require detailed assessment before it can be determined whether a specific IT system is covered by the Regulation. There are, of course, many examples of systems that can be categorised as an AI system covered by the Regulation without specific analysis and assessment.
However, there will be a large number of solutions where there may be legitimate doubts, especially where there is insufficient insight into which components are included in the solution and its functionality. The assessment is also often complicated by the fact that suppliers tend to market even simple automation as artificial intelligence, often against their better judgement.
As it can be difficult to gain full insight into the structure and functionality of an IT system, we can instead try to uncover identifiers that can contribute to the assessment of whether it is an AI system. These indicators - which naturally relate to the criteria in the definition of an AI system - can be uncovered by examining a number of aspects. This can be illustrated by the following - non-exhaustive - questions:
- Are known standard AI models or AI-based tools included in the system, including components licensed under open source licences?
- Does using the system require it to be developed by training on concrete training data prior to and/or during operation of the system?
- What is the variation in the task(s) the system solves?
- What type of input does the system use?
- Is the system's "response" predefined, or can the system itself adapt the response to the specific situation?
- What type of output is generated and what is the output used for?
- What is the variation in the output generated?
Horten advises our clients within all areas of relevance to artificial intelligence, including IT law, data protection law, intellectual property law, product liability and public regulation, and can assist in implementing the requirements of the Regulation.