-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AI: New entries in SafetyRiskAssessmentType to accommodate risk levels in EU AI Act #650
Comments
We took our definitions of the Risk levels from: https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf The terminology section (2.1) introduces the risk level terms we've used. In the EU AI act is there such a table for defining when unacceptable, high, limited, and minimal should be used? My guess at this point is Not sure why they didn't align with the EU risk definition, and created their own terms. That being said - we need to clean up our definition in the specification to be closer to those in Table 2 I think, so it's not so ambiguous to just have keywords on their own. |
Thanks Kate. I will try to provide some further information here so people can give more of their thoughts.
Risk level categorisation(Page numbers in this section are based on the most recent draft [dated 26 Jan 2024] of the EU AI Act, available publicly at https://data.consilium.europa.eu/doc/document/ST-5662-2024-INIT/en/pdf )
Unacceptable risk
High-risk
Limited risk
Minimal or no risk
|
Discussed in AI Profile WG meeting 2024-03-06. |
Let's discuss this in the meeting. Possibly we should adjust 3.0's risk to be "General Risk", so we leave a spot for "AI Risk" to emerge in future, without being a breaking change? Thoughts? |
Agree. We can keep the 4 risk types (levels) as they are now. And probably rename the property to |
@bact @kestewart After re-reading Arthit's detailed explanation, I can see an issues for obtaining EU AI Act compliance in an easy manner since there isn't a direct mapping. If I wanted to scan an AI BOM to audit for a specific country regulations then a generic risk level isn't going to help with that process. I'm going to raise this issue with EU Project Office. Ideally we need them to unify the definitions. But for the short term, maybe we have two fields in SPDX AI Profile, one with name of useRiskAssessment to capture the EU AI (Risk levels in EU AI Act are based on 1) its use [for example, Article 5] 2) intended purpose [Article 6] or 3) its design [Article 52a(2)]) . or we can different types of risk options, ie. AIAct_medium, AIAct_restricted. or anyone else have an idea? |
PR #675 is open to make it more explicit in the description of |
SPDX 3.0 AI Profile has
safetyRiskAssessment
[1] for level of risk posed by an AI software.Its type is
safetyRiskAssessmentType
[2] which can have one of these values:serious
: The highest level of risk posed by an AI software.high
: The second-highest level of risk posed by an AI software.medium
: The third-highest level of risk posed by an AI software.low
: Low/no risk is posed by the AI software.These values are from EU General Risk Assessment Methodology [3].
EU AI Act (Draft 26 Jan 2024) [4] has four levels of risk:
Different risk level comes with different obligations.
An AI system that posed an unacceptable risk is prohibited in the EU.
See summary in [5].
While there are similarities between risk levels in SPDX 3.0 and EU AI Act, they are not exactly the same.
Minimal
may use SPDX 3.0low
serious
andhigh
could fall into EU AI ActHigh
Unacceptable
andLimited
in SPDX 3.0In order to accommodate EU AI Act risk levels, we may need to either:
safetyRiskAssessmentType
; orsafetyRiskAssessment
to have another type (in addition tosafetyRiskAssessmentType
), where that new type will have a list of EU AI Act four levels of risk/obligationsOther possibilities?
References
[1] https://github.com/spdx/spdx-3-model/blob/main/model/AI/Properties/safetyRiskAssessment.md
[2] https://github.com/spdx/spdx-3-model/blob/main/model/AI/Vocabularies/SafetyRiskAssessmentType.md
[3] Page 5 https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf
[4] https://data.consilium.europa.eu/doc/document/ST-5662-2024-INIT/en/pdf
[5] https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
The text was updated successfully, but these errors were encountered: