Articles

18.04.2023

Key Actions to Drive Compliance with AI Regulations

Over the last few years, artificial intelligence (AI) has started to appear in many areas in business life. Recently, companies have adapted to the digital world with the use of big data and AI, in this sense, many operations are carried out by using algorithmic systems. 

All these and many more other aspects lead companies to invest in AI systems growingly in order to gain a competitive advantage. The widespread use of AI requires the establishment of a compliance program - one that addresses not only keeping up with the technological developments but also with the relevant legal obligations. AI systems may cause serious risks for companies including the emergence of disputes and legal violations which highlights the importance of the existence of a compliance program. Due to the risks posed by certain AI systems, compliance programs should have a detailed, multi-layered approach and seek balance between company's expectations and legal requirements.

Non-binding (softlaw) legal instruments have been widely used in the deployment of AI systems. In this regard, ethical rules, as a self-regulation mechanism, have played an important role. Although companies adopt ethical rules, policies and procedures, these texts that they have prepared themselves are not binding or inclusive. In fact, even the contents of the texts could often be incomplete. For this reason, international and regional organizations and national authorities have been working on a comprehensive and binding regulations that covers various aspects of AI systems.  

In this sense, the EU regulatory framework proposal prepared by the European Commission on AI could deemed to be a pioneer among legal regulations. Although there are many regulations that can affect the use of AI in various sectors and fields, the EU draft is a horizontally applicable regulation. The 2021-2025 National Artificial Intelligence Strategy published in Turkey is an important indicator that such regulations will emerge at the national level in the near future. It is considered that the said strategy will pave the way for a legal regulation in this area.

Organizations should therefore establish a compliance program regarding possible requirements of AI regulations by being up-to-date with the latest developments at national and international level. The compliance programs are recommended to be prepared based on the basic obligations regulated in the aforementioned and other legal regulations while also taking the demands of organizations into account. 

Key actions to consider in preparing an AI compliance program

1.     Build a comprehensive AI inventory

At the beginning of compliance program, an inventory covering all the AI systems that are being used should be created. In this way, it will be ensured that AI systems can be followed collectively and risk classifications can also be made. A comprehensive and well-prepared inventory will also contribute to tracking and meeting current needs in other areas such as privacy and cybersecurity.

2.     Keep up with the new and changing regulations

The changing and ambiguous nature of AI regulations could lead to significant changes in the requirements in a short time. In addition, the change in the risk categorization of a system may cause different obligations to be applied. Therefore, organisations will face increasingly new and complex requirements with less time to react. All these aspects show the importance of a monitoring mechanism on legislative changes which will enable organizations to meet applicable up-to-date requirements.  

3.     Develop a risk-management program

A risk-based policy approach to AI applications tend to be mainly adopted. This requires implementing detailed impact assessments, developing risk-mitigation measures, preparing audits. Every organisation should be able to meet relevant requirements depending on the risk categorization of the deployed system. In order to be able to efficiently manage this process, organizations should develop and proactively monitor a risk-management programme that also includes documentation and record keeping. 

4.     Invest in AI compliance enablement 

Compliance with AI regulations requires a long-term effort. The most facilitating factor in this process will be the awareness of the employees. A well-prepared compliance programme alone is not sufficient to ensure effective compliance. Employees should also have awareness to adapt to this. For this reason, a checklist regarding the actions to be taken should be prepared and provided to the employees. Periodic training for the employees on AI systems, related obligations and legal regulations and ethical use of AI systems should be ensured.