Everything You Need to Know About the EU AI Act and How Software Visibility Can Support Compliance

In the Gartner® Hype Cycle™ for Emerging Technologies 2024, Generative AI is poised to enter the Trough of Disillusionment after reaching a fever pitch at the Peak of Inflated Expectations. While the regulations of the EU AI Act may contribute to changes in speed of delivery across the market, Xensam’s AI Product Manager, Sonny Mir, believes that the Act is a necessary and vital turning point in the industry that will have lasting positive impacts.

“Transparency is incredibly important for ethical AI. The Act aims to demystify AI systems, making it easier for users to understand how these systems operate and form conclusions. The Act's focus on clear communication about how AI systems interact with users is a significant change.”

- Sonny Mir, AI Product Manager at Xensam

The Act also emphasizes the importance of data quality, which addresses a significant issue in AI ethics. Mir believes that emphasis on data integrity will likely drive major improvements in AI development and deployment in the future. 

“The Act will empower us, the people, and help build trust in AI technologies, leading to broader acceptance and more responsible use. It's a chance to create AI systems that are ethical and resilient enough to withstand public examination.”

- Sonny Mir, AI Product Manager at Xensam

Software Visibility Can Support Compliance  

As companies assess their unique path to compliance, an inventory of all AI software will be a critical starting place. Lack of visibility is a notable barrier as these tools are often used without authorization from IT departments. In a recent survey of 14,000 employees across 14 countries, 55% of respondents utilize AI tools without consent. 

Another survey found that 7 in 10 workers who use AI tools like ChatGPT do so without consent from their organization, raising significant data privacy concerns. Large companies like JPMorgan Chase, Apple, and Spotify opted to ban or limit the use of AI software, including ChatGPT and GitHub’s CoPilot. JPMorgan Chase reported that they could not determine “how many employees were using the chatbot or for what functions they were using it" before instituting a ban. The consequences of unauthorized use of higher-risk AI systems could be substantial.  

With the right software inventory capabilities, companies can ensure that AI asset usage is detected, assessed, and brought into compliance on an ongoing basis. Xensam’s VP of International Sales, Alex Geuken, believes the SAM department will take center stage in supporting organization efforts to reach compliance.  

“With the new EU AI Act, SAM managers get another task. On top of compliance, optimization, SaaS management, GDPR, CSRD, and all other related tasks they now have a significant role in oversight of AI tools together with Security and Legal departments.  

You can't manage what you can't see, and the SAM department will answer critical questions like: Do we have visibility of what AI tools are installed or used? Who is using the AI tool? How much is the tool being used? What is it being used for? What data is being shared with AI provider?  Where is the data stored? This kind of visibility will be crucial to managing AI assets under the EU AI Act.” 

- Alex Geuken, Xensam

Steps to Get Compliant with the EU AI Act 

These are crucial steps to prepare as companies become familiar with the new legislation and evaluate which provisions are relevant to their daily operations. 

Visibility Comes First: Visibility of all software assets is crucial to building a compliance roadmap. Investing in technology that helps you detect applications, whether authorized or not, is critical. According to analysts at Forrester, an inventory of tools can raise critical red flags around risk categorization:  

“Amassing a tool inventory and identifying specific use cases will help organizations classify risk. In some cases, seemingly low-risk use cases can be much more complex, especially when tech leaders start to consider how much personal data is being exposed.”

- Lindsey Wilkinson, CIO Dive

Define AI Use Cases: Regulation of AI tools will differ based on the purposes for which they are used within businesses. After you know what AI tools your organization uses, you can define the specific use case of these tools.  

Determine Risk Categorization: Determining the risk category will be more straightforward once you know what you have and what it’s used for. The Act includes extensive definitions of each risk category and use case.  

Evaluate Codes of Conduct and Transparency Guidelines: While many companies may not use high-risk AI tools, assessing voluntary or mandatory transparency guidelines and codes of conduct is highly advisable. Safe and transparent use of AI is the future; preparing now will prevent it.  

Document Organizational Use of AI and Compliance Measures: It is crucial to maintain ongoing documentation of all AI systems, their use cases, risk categorization, and any mandatory regulations and transparency guidelines your company undertakes about them. This type of documentation provides a clear picture of compliance. It empowers organization-wide education on how your company utilizes AI tools now and in the future, as regulated by the EU AI Act. 

Conclusion 

The widespread adoption of AI across business sectors has enabled leaps in productivity and innovation. Still, as with any new advancement, it has raised global questions about fair, transparent, and ethical implementation. The EU AI Act is the first legislation to regulate the development and use of AI systems at such a large scale and will have significant implications for the EU and beyond. Companies must start assessing their use of AI tools to ensure compliance. Software visibility is the crucial first step to understanding how AI is adopted across the business.  

Connect with Jeffrey Rivero >>

Connect with Sonny Mir >> 

Connect with Alex Geuken >>