ECIIA: The AI Act – Road to Compliance

Summary of https://www.eciia.eu/wp-content/uploads/2025/01/The-AI-Act-Road-to-Compliance-Final-1.pdf

"The AI Act: Road to Compliance," serves as a practical guide for internal auditors navigating the European Union's Artificial Intelligence Act, which entered into force in August 2024. It outlines the key aspects of the AI Act, including its risk-based approach that categorizes AI systems and imposes varying obligations based on risk levels, as well as the different roles of entities within the AI value chain, such as providers and deployers.

The guide details the implementation timeline of the Act and the corresponding obligations and requirements for organizations. Furthermore, it presents survey results from over 40 companies regarding their AI adoption, compliance preparations, and the internal audit function's understanding and auditing of AI. Ultimately, the document emphasizes the crucial role of internal auditors in ensuring their organizations achieve compliance and responsibly manage AI risks.

• The EU AI Act is now in force (August 1, 2024) and employs a risk-based approach to regulate AI systems, categorizing them into unacceptable, high, limited, and minimal risk levels, with increasing obligations corresponding to higher risk. There's also a specific category for General Purpose AI (GPAI) models, with additional requirements for those deemed to have systemic risk.

• Organizations involved with AI systems have different roles (provider, deployer, importer, distributor, authorised representative), each with distinct responsibilities and compliance requirements under the AI Act. The provider and deployer are the primary roles, with providers facing more extensive obligations.

• Compliance with the AI Act has a phased implementation timeline with key dates starting from February 2025 (prohibited AI systems) through August 2027 (high-risk AI components in products). Organizations need to start preparing by creating AI inventories, classifying systems by risk, and establishing appropriate policies.

• Internal auditors play a vital role in helping organizations achieve compliance with the AI Act by assessing AI risks, auditing AI processes and governance, and making recommendations. They need to ensure the implementation of AI Act requirements within their organizations.

• A recent survey of over 40 companies revealed widespread AI adoption but a relatively low level of understanding of the AI Act within internal audit departments. Most internal audit departments are not yet leveraging AI, but when they do, it's mainly for risk assessment. Ensuring adequate AI auditing skills through training is highlighted as a need.