While the adoption of artificial intelligence (AI) can help enterprises operate more efficiently, there is significant risk associated with it, including lawsuits, AI misuse and biased data. Liability around AI remains murky, and it is often unclear who is ultimately accountable for harm caused by AI outputs. The EU AI Act, which was approved by the European Parliament and EU Council earlier this year, could help mitigate some of the risk associated with AI, allowing enterprises to use AI technologies in a safe, ethical and responsible way, instilling confidence in AI systems.
Enterprises that must be compliant with the EU AI Act should begin working toward compliance immediately, since the regulation entered into force on 1 August 2024. In an effort to help practitioners navigate the regulation, ISACA has released a new white paper, Understanding the EU AI Act: Requirements and Next Steps, which explores the Act’s scope and risk categorization method, and provides a high-level overview of the regulation’s requirements.
The EU AI Act puts requirements into place for certain AI systems used in the European Union and bans certain AI uses—most of which will apply beginning 2 August 2026. The Act has many layers of compliance requirements, including at the AI use case, model, system, project and enterprise levels. These requirements may vary depending on whether the enterprise is a provider, deployer, importer, or distributor, and whether the AI is high-risk, limited-risk, a general-purpose AI model, or some combination.
ISACA’s white paper also shares next steps for practitioners looking to be compliant with the Act, with key considerations for enterprises beginning an AI program, including:
- Institute audits and traceability
- Adapt existing cybersecurity and privacy policies and programs
- Designate an AI lead who can be tasked with tracking AI tools and the enterprise’s broader approach to AI
While not every enterprise around the world will need to be compliant with the EU AI Act, it is worthwhile to know the key requirements of the Act. The risk classification outlined in the Act can help enterprises think about the AI products they use and understand the risk associated with them.
The Understanding the EU AI Act: Requirements and Next Steps white paper is available for free at h04.v6pu.com/eu-ai-act. For additional AI resources from ISACA, including online courses and an AI audit toolkit, visit h04.v6pu.com/ai.