The AI Engineers Guide to Surviving the EU AI Act Navigating the EU Regulatory Requirements (Larysa Visengeriyeva) (Z-Library)

📄 File Format: PDF

💾 File Size: 6.5 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

The AI Engineer’s Guide to Surviving the EU AI Act Navigating the EU Regulatory Requirements Larysa Visengeriyeva

📄 Page 3

The AI Engineer’s Guide to Surviving the EU AI Act by Larysa Visengeriyeva Copyright © 2025 Larysa Visengeriyeva. All rights reserved. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800- 998-9938 or corporate@oreilly.com. Acquisitions Editor: Nicole Butterfield Development Editor: Sara Hunter Production Editor: Kristen Brown Copyeditor: Rachel Head Proofreader: Kim Cofer Indexer: Krsta Technology Solutions Cover Designer: Susan Brown Cover Illustrator: Monica Kaamsvaag Interior Designer: David Futato Interior Illustrator: Kate Dullea July 2025: First Edition

📄 Page 4

Revision History for the First Edition 2025-06-27: First Release See http://oreilly.com/catalog/errata.csp? isbn=9781098172497 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. The AI Engineer’s Guide to Surviving the EU AI Act, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-098-17249-7 [LSI]

📄 Page 5

Preface The European Union’s Artificial Intelligence Act, which came into full effect in August 2024, represents a watershed moment in the global regulation of artificial intelligence. As the first comprehensive legal framework for AI, its stated purpose is clear: to foster innovation and development within the EU while effectively mitigating the potential risks posed by AI systems. This ambitious regulation establishes a uniform legal framework governing the development, placement on the market, putting into service, and use of AI systems across the EU. Navigating the complexities of the EU AI Act might, at first glance, seem like a task exclusively for legal teams and policy experts. The Act is indeed complex, featuring 113 articles that address highly technical issues, complemented by 13 annexes that detail implementation specifics and 180 recitals (introductory statements providing context and guidance for interpretation). However, as the practical requirements of the EU AI Act reveal, achieving and maintaining compliance with the Act is fundamentally an engineering problem. This is the core message of this book. Operationalizing EU AI Act compliance goes far beyond legal interpretation. It requires establishing roles, processes, structures, and AI engineering practices. Post- market compliance, for instance, directly necessitates the implementation of machine learning operations (MLOps) practices such as monitoring and alerting. Successfully achieving EU AI Act compliance is linked to understanding the design, development, and maintenance of AI systems.

📄 Page 6

Compliance is not a legal stamp applied at the end of the development lifecycle, but a continuous process that must be engineered into the core of AI systems from the beginning. The Act’s foundation on the concept of “trustworthy AI” mandates that systems be lawful, ethical, and robust throughout their entire lifecycle. This necessitates embedding ethical and compliance aspects directly into the AI system development process. This book serves as your guide to tackling EU AI Act compliance as the engineering challenge it is. We’ll explore various practical methodologies and frameworks essential for this task, including: AI engineering Defined as the application of software engineering principles to the end-to-end lifecycle of AI systems— including design, development, deployment, and maintenance. CRISP-ML(Q) This structured machine learning development process provides a blueprint for designing, developing, and maintaining AI systems with compliance in mind. Its emphasis on quality assurance and continuous risk management throughout the AI lifecycle is directly aligned with the EU AI Act’s risk-based approach. CRISP-ML(Q) requires documentation of the entire development process, including risk management measures, which is crucial for meeting the Act’s technical documentation and transparency obligations. MLOps Stack Canvas

📄 Page 7

The MLOps Stack Canvas is a comprehensive and practical framework designed to guide organizations in architecting and managing their machine learning operations infrastructure. The canvas is structured around three core domains: Data and Code Management, Model Management, and Metadata Management. It provides a holistic view of the components necessary for successful ML deployment. By aligning with the CRISP-ML(Q) process model, the canvas ensures that each phase of the ML lifecycle is addressed, from data sourcing and versioning to model deployment and monitoring. It emphasizes critical aspects such as reproducibility, reliability, and efficiency, helping teams to plan infrastructure costs, select appropriate tools, and establish robust workflows. Serving as both a strategic and an operational tool, the MLOps Stack Canvas facilitates clearer communication among stakeholders for all ML and AI initiatives across the organization. SMACTR (Scoping, Mapping, Artifact Collection, Testing, and Reflection) Introduced as an internal audit framework to guide the practical implementation of ethical AI development throughout its lifecycle, SMACTR promotes a proactive and preventive approach for AI development. Embedding audit processes into the design and development phases allows engineers to anticipate and address potential risks before deployment, aligning perfectly with the Act’s emphasis on risk mitigation. SMACTR’s focus on generating detailed documentation at each stage is also essential for meeting the Act’s technical documentation requirements for high-risk AI systems. The synergy between CRISP-ML(Q) and AI engineering offers a powerful framework for addressing EU AI Act

📄 Page 8

compliance. Furthermore, the integration of SMACTR with the CRISP-ML(Q) methodology provides a robust and auditable process for responsibly developing AI systems. This combination allows for proactively engineering compliance into the ML lifecycle, from data collection through monitoring, rather than treating it as an afterthought. The book also explores how these engineering principles apply across the Act’s risk classifications—prohibited, high risk, limited risk, and low risk. While high-risk systems face the most stringent requirements, Article 50 introduces transparency obligations that apply to all AI systems designed to interact directly with humans, regardless of their risk level. These obligations, such as informing users of AI interaction and marking synthetic content, demand practical engineering solutions for proactive compliance. Aligning AI engineering practices with SMACTR and CRISP-ML(Q) provides a structured and automated approach to managing the AI system lifecycle for transparency. This book also addresses the particular challenges posed by general-purpose AI (GPAI) and generative AI (GenAI), late but significant additions to the Act. The concept of generative AI operations (GenAIOps) is introduced as an extension of traditional MLOps principles to handle the unique complexities of GPAI and generative AI applications. Applying AI engineering principles to implement transparency obligations for GPAI and integrating CRISP- ML(Q), SMACTR, and GenAIOps are crucial for navigating this evolving landscape.

📄 Page 9

Who Should Read This Book This book is intended for AI engineers, MLOps practitioners, data scientists, AI product managers, and anyone involved in the hands-on development and deployment of AI systems. It demonstrates how, through the application of robust methodologies, disciplined documentation, and continuous integration of ethical considerations, AI teams can build systems that are not only technically innovative but also demonstrably compliant, trustworthy, and aligned with societal expectations. I have tried to make this book as actionable as possible by introducing a comprehensive framework and practical checklists for aligning AI engineering practices with the EU AI Act articles throughout the CRISP-ML(Q) lifecycle. As ImageNet creator Fei-Fei Li, known as the Godmother of AI, noted recently: “Now more than ever, AI needs a governance framework.” This book provides the practical engineering foundation for implementing such a framework, enabling practitioners to build trustworthy AI systems that meet the stringent requirements of the EU AI Act through empirical validation, risk-aware development, and collaborative practices. The law sets the requirements, but it is the engineering that delivers compliance. Navigating This Book This book has been designed as a reference for you, a guide to practicing proactive EU AI Act compliance through AI engineering and integrating it into the AI lifecycle, from data collection through monitoring. Each chapter is fairly self-contained, with appropriate references to other chapters identified. The chapters are organized as follows:

📄 Page 10

Chapter 1, “Understanding the AI Regulations”, provides a foundational understanding of the EU AI Act and the need for trustworthy AI systems. It outlines seven essential requirements for building such systems: human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, non- discrimination, and fairness; societal and environmental well-being; and accountability. This chapter describes the structure of the Act, including definitions, key players, risk classifications, and the implementation timeline, and provides an overview of this significant regulatory framework. Chapter 2, “AI Engineering: A Proactive Compliance Catalyst”, explains how combining CRISP-ML(Q) with AI engineering helps organizations meet the compliance requirements of the EU AI Act. CRISP- ML(Q) guides the AI lifecycle through distinct phases, such as data preparation and model evaluation, while MLOps principles including automation, versioning, testing, and monitoring provide the operational backbone for ensuring AI systems are reliable, reproducible, and continuously compliant. In this chapter, you will also learn about the MLOps Stack Canvas as a framework for defining the necessary technical infrastructure, covering data, code, and model management, to support proactive compliance engineering. Chapter 3, “Data and AI Governance and AI Engineering”, explains the critical roles of data governance and AI governance within the context of the EU AI Act. In this chapter, you will learn about how these governance concepts can be practically

📄 Page 11

integrated into the AI system development lifecycle to ensure trustworthy and compliant AI. Chapter 4, “AI System Assessment and Tailoring AI Engineering for Different Risk Levels”, focuses on the crucial initial steps for organizations to achieve compliance with the EU AI Act. You will learn about creating an inventory of your existing AI systems and how to classify their risk level to determine the applicable obligations. The chapter also explains the different roles organizations can take (provider or deployer), which further tailors compliance requirements. Chapter 5, “AI Engineering for High-Risk AI Systems”, offers a comprehensive guide to implementing the EU AI Act’s requirements for high- risk AI systems through AI engineering practices. It breaks down key articles of the Act (Articles 9–15), focusing on topics like risk management, data governance, documentation, recordkeeping, transparency, human oversight, accuracy, robustness, and security. You will learn how to map the Act’s legal requirements to specific quality attributes and how to integrate them into the CRISP- ML(Q) lifecycle. This chapter shows why documentation and metadata management are crucial for demonstrating compliance and ensuring the trustworthiness of high-risk AI systems. Chapter 6, “AI Engineering for Limited-Risk AI Systems”, focuses on how to develop AI systems that meet the EU AI Act’s transparency obligations, which differ from the stricter conformity assessments required for high-risk systems. Here, you will learn about integrating the SMACTR

📄 Page 12

framework with the CRISP-ML(Q) lifecycle. This chapter also highlights the emerging role of AI governance platforms and various technical tools in facilitating compliance and responsible AI deployment. Chapter 7, “Toward Trustworthy General-Purpose AI and Generative AI”, explains how the Act aims to balance AI innovation with risk mitigation, introducing concepts like GPAI and systemic risk. It outlines the specific transparency obligations for generative AI systems, such as informing users of AI interactions and marking synthetic content, and details the regulations for GPAI models, including documentation and risk management requirements for providers and deployers. You will also learn about GenAIOps, a framework for operationalizing the transparency and compliance aspects of GenAI development and deployment by integrating them with established methodologies like CRISP-ML(Q) and the SMACTR framework. Conventions Used in This Book TIP This element signifies a tip or suggestion. NOTE This element signifies a general note.

📄 Page 13

WARNING This element indicates a warning or caution. O’Reilly Online Learning NOTE For more than 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in- depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-889-8969 (in the United States or Canada)

📄 Page 14

707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://oreilly.com/about/contact.html We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/AI-engineer-EU-AI-Act. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly- media. Watch us on YouTube: https://youtube.com/oreillymedia. Acknowledgments Bringing this book to life has been a truly fulfilling experience. I’ve had so much support from so many people throughout the process of writing the book—thank you so much to everyone who helped make it a reality! I would like to give an especially big thank you to the book’s technical reviewers: Una Galyeva, Katharine Jarmul, Janna Lipenkova, Anil Sood, and Debmalya Biswas. Their time and effort in reading through the initial draft and providing comments, suggestions, and corrections were invaluable, and they made significant contributions to improving the book’s overall quality. Everyone at O’Reilly has been fantastic to work with throughout the book’s lifecycle, starting with Nicole

📄 Page 15

Butterfield, who immediately saw the potential of the core message that EU AI Act compliance is fundamentally an engineering challenge. Sara Hunter worked intensively with me to shape and edit the book, and when I was ready to move to the production process, Kristen Brown was just amazing. A big thank you to the entire O’Reilly team, including copyeditor Rachel Head, proofreader Kim Cofer, indexer Ben Hurst, illustrator Kate Dullea, and the cover design team of Monica Kaamsvaag and Susan Brown. You are all heroes!

📄 Page 16

Chapter 1. Understanding the AI Regulations As people, organizations, and the public sector increasingly rely on AI to drive decision making, the technology must be trustworthy. The EU AI Act aims to provide a legal framework for developing, deploying, and using AI technologies within the European Union, emphasizing safety, transparency, and ethical considerations. It is a regulatory framework for artificial intelligence that includes specific requirements for AI systems of different risk categories within the EU. This book is focused on understanding and implementing the regulatory requirements set by the European Union’s legislation on artificial intelligence. Please note that the guidance it provides is not intended as a substitute for obtaining professional legal advice. This chapter begins by outlining the motivation behind the EU AI Act, emphasizing the idea of “trustworthy AI,” and identifying the essential requirements for ensuring AI is trustworthy. It then describes the structure of the EU AI Act, including its definitions, key stakeholders, risk classifications (prohibited, high risk, limited risk, and minimal risk), and the implementation timeline. Finally, it briefly compares the EU AI Act with other international regulations and standards related to AI.

📄 Page 17

WARNING The author is not a lawyer, and this book does not provide legal advice. The intersection of law and artificial intelligence is a complex subject that requires expertise beyond the scope of AI, data science, and machine learning. Legal considerations surrounding AI systems can be complex and far-reaching. If you have any legal concerns related to the AI systems you are working on, seek professional legal advice from qualified experts in the field. The Motivation for the EU AI Act: Trustworthy AI As AI becomes increasingly intertwined with our daily lives, one of the challenges we face is learning to navigate the uncertainty that comes with it. This uncertainty is inherent to AI. AI models’ predictive accuracy has long been considered a core evaluation criterion when building an AI system. However, with the widespread use of AI in critical areas such as human resources, transportation, finance, medicine, and security, there is a growing need for these systems to be trustworthy—and traditional predictive accuracy alone is not sufficient to build trustworthy AI applications. To better understand trustworthy AI, let’s start with its definition. Trustworthy AI is an umbrella term that refers to artificial intelligence systems that are designed and developed with principles such as fairness, privacy, and non-discrimination in mind, and with robust mechanisms to ensure reliability, security, and resilience. Within the AI community, this term is used interchangeably with responsible AI, ethical AI, reliable AI, and values-driven AI. Trustworthy AI systems must be adaptable to diverse and changing environments and robust against various types of

📄 Page 18

disruptions, including cyber threats, data variability, and operational changes. They should operate transparently and be held accountable, with continuous monitoring and evaluation to respect human rights, including privacy and freedom from discrimination, and to ensure adherence to democratic values. Trustworthy AI is a complex term that incorporates a long list of concepts and principles, which are visualized in Figure 1-1. These concepts lay the foundation for understanding the EU AI Act. Trustworthiness in AI is grounded in the three pillars of lawfulness, ethics, and robustness. First, AI systems should be lawful, meaning they must comply with all relevant regulations to ensure a fair market, promote economic benefits, and protect citizens’ rights. Second, they must be built on ethical principles and values, incorporating input from all stakeholders and establishing appropriate feedback mechanisms. Finally, they must be robust, accounting for potential risks and ensuring safety at every stage of development and deployment.

📄 Page 19

(This page has no text content)

📄 Page 20

Figure 1-1. The foundation and seven requirements of trustworthy AI Standing on these three pillars are seven key requirements that AI systems must implement to be deemed trustworthy: 1. Human agency and oversight 2. Technical robustness and safety 3. Privacy and data governance 4. Transparency 5. Diversity, non-discrimination, and fairness 6. Societal and environmental well-being 7. Accountability These come directly from the requirements outlined in the Ethics Guidelines for Trustworthy AI developed by the European Commission’s High-Level Expert Group on AI (AI HLEG). In the following sections, I provide an explanation of each. Human Agency and Oversight Human agency and oversight are crucial in developing and operating AI systems. Human agency refers to the ability of individuals to make informed decisions and maintain control. AI systems should support this by providing transparency, interpretability, and mechanisms for control and intervention that enable humans to understand and influence the system’s decisions and actions. Human oversight involves establishing governance processes and mechanisms that allow for human monitoring, evaluation, and intervention in the operation of AI systems. This includes ensuring transparency and