wlmbrown commited on
Commit
b052718
·
1 Parent(s): 46c3659

removed deployers from scope of our system

Browse files
Files changed (3) hide show
  1. compliance_analysis.py +4 -8
  2. project_cc.yaml +25 -61
  3. utils.py +24 -9
compliance_analysis.py CHANGED
@@ -10,18 +10,14 @@ project_variables = {
10
  "high_risk_ai_system": False,
11
  "gpai_model_systematic_risk": False
12
  },
13
- "operator_role": {
14
  "provider": False,
15
- "deployer": False,
16
- "importer": False,
17
- "distributor": False,
18
- "product_manufacturer": False,
19
- "eu_located": False
20
  },
21
  "eu_market_status": {
22
  "placed_on_market": False,
23
- "put_into_service": False,
24
- "output_used": False
25
  }
26
  }
27
 
 
10
  "high_risk_ai_system": False,
11
  "gpai_model_systematic_risk": False
12
  },
13
+ "operator_details": {
14
  "provider": False,
15
+ "eu_located": False,
16
+ "output_used": False
 
 
 
17
  },
18
  "eu_market_status": {
19
  "placed_on_market": False,
20
+ "put_into_service": False
 
21
  }
22
  }
23
 
project_cc.yaml CHANGED
@@ -1,33 +1,16 @@
1
 
2
- # Information related to high-level characteristics of AI project, including the role of the operator, market status, and type of AI
3
 
4
- operator_role:
5
  provider: # Art. 2
6
  verbose: 'The operator of this AI project is a natural or legal person, public authority, agency or other body that develops an AI project or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge'
7
  value: !!bool false
8
- deployer: # Art. 2
9
- verbose: 'AI project operator is a natural or legal person, public authority, agency or other body using an AI project under its authority except where the AI system is used in the course of a personal non-professional activity'
10
- value: !!bool false
11
  eu_located: # Art. 2
12
  verbose: 'AI project operator has its place of establishment or location within the Union'
13
  value: !!bool True
14
  output_used: # Art. 2
15
  verbose: 'The output produced by the AI project is used in the Union'
16
  value: !!bool false
17
- importer: # Art. 2
18
- verbose: 'AI project operator is a natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country'
19
- value: !!bool false
20
- distributor:
21
- verbose: 'AI project operator is a natural or legal person in the supply chain, other than a provider or the importer, that makes an AI system available on the Union market'
22
- value: !!bool false # Art. 2
23
- product_manufacturer:
24
- verbose: 'AI project operator is a product manufacturer'
25
- value: !!bool false # Art. 2
26
-
27
- # ypi: just to note that providers, deployers and product manufacturer that are outside of EU are still in scope if the output of AI is used within EU.
28
- # importer and distributor are only in scope if they locate within EU.
29
-
30
-
31
 
32
  eu_market_status:
33
  placed_on_market: # Art. 3(9)
@@ -58,6 +41,8 @@ gpai_model_systematic_risk:
58
  verbose: 'The cumulative amount of computation used for the training of the AI project, as measured in floating point operations (FLOPs), has been greater than 10^25'
59
  value: !!bool false
60
 
 
 
61
  transparency_related:
62
  direct_user_interaction:
63
  verbose: 'The AI project is intended to interact directly with natural persons'
@@ -98,10 +83,6 @@ excepted:
98
  verbose: 'AI project involves AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general purpose AI models with systemic risks'
99
  value: !!bool false
100
 
101
-
102
- #ypi: add peronal and non-professional use
103
- # ypi: The exemptions can be moved up to the operator role since it’s also related to Article 2.
104
-
105
  # Information related to practices prohibited by the Act
106
 
107
  prohibited_practice:
@@ -141,7 +122,7 @@ prohibited_practice:
141
  verbose: 'The AI project involves use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement stricly for the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years.'
142
  value: !!bool false
143
 
144
-
145
 
146
  high_risk_ai_system:
147
  safety_component: # Art. 6(1)(a)
@@ -199,6 +180,8 @@ high_risk_ai_system:
199
  verbose: 'the AI project is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III.'
200
  value: !!bool false
201
 
 
 
202
  risk_management_system:
203
  established: # Article 9
204
  verbose: 'A risk management system has been established, implemented, documented and maintained for the AI project'
@@ -227,18 +210,14 @@ risk_management_system:
227
  testing_threshold: # Art. 9(8)
228
  verbose: 'Testing has or will be performed before the AI project is placed on the market and has or will be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose'
229
  value: !!bool false
 
 
 
 
 
 
230
 
231
- # ypi: I will also add:
232
- # vulnerable_groups: #Art. 9(9)
233
- # verbose: 'Adverse impacts in the view of intended purpose the high-risk AI system on individuals under 18 and other vulnerable groups have been considered'
234
- # value: !!bool true
235
- # integration_with_other_laws: #Art. 9(10)
236
- # description: 'For providers subject to other Union law requirements, risk management procedures may be integrated or combined with those established under such law.'
237
- # value: !!bool true
238
-
239
-
240
-
241
-
242
 
243
  technical_documentation:
244
  drawn_up: # Art. 11(1)
@@ -290,6 +269,7 @@ technical_documentation:
290
  ### verbose: 'The Technical Documentation includes a general description of the AI project that covers instructions for use for the deployer and a basic description of the user-interface provided, where applicable.'
291
  ### value: !!bool false
292
 
 
293
 
294
  record_keeping:
295
  logging_generally: # Article 12(1)
@@ -320,6 +300,8 @@ record_keeping:
320
  verbose: 'For the remote biometric identification systems high-risk AI systems referred to in point 1 (a), of Annex III, the logging capabilities shall provide, at a minimum, the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5)'
321
  value: !!bool false
322
 
 
 
323
  transparency_and_provision_of_information_to_deployers:
324
  interpretability: # Art. 13(1)
325
  verbose: 'AI project is designed and developed to ensure operation is sufficiently transparent for deployers to interpret output and use appropriately'
@@ -367,6 +349,8 @@ transparency_and_provision_of_information_to_deployers:
367
  verbose: 'Instructions include description of mechanisms for deployers to collect, store, and interpret logs, if applicable'
368
  value: !!bool false
369
 
 
 
370
  human_oversight:
371
  designed: # Art. 14(1)
372
  verbose: 'AI project is designed and developed so as to be effectively overseen by natural persons during use, including through the use of appropriate human-machine interface tools'
@@ -396,6 +380,8 @@ human_oversight:
396
  verbose: 'For Annex III point 1(a) systems, actions or decisions require verification by at least two competent persons, with exceptions for law enforcement, migration, border control, or asylum'
397
  value: !!bool false
398
 
 
 
399
  accuracy_robustness_cybersecurity:
400
  design: # Art. 15(1)
401
  verbose: 'The AI project is designed and developed to achieve appropriate levels of accuracy, robustness, and cybersecurity, performing consistently throughout its lifecycle'
@@ -419,6 +405,8 @@ accuracy_robustness_cybersecurity:
419
  verbose: 'The AI project includes technical solutions that address AI-specific vulnerabilities, including measures against data poisoning, model poisoning, adversarial examples, and confidentiality attacks'
420
  value: !!bool false
421
 
 
 
422
  quality_management_system:
423
  quality_management_system: # Art. 17(1)(a)
424
  verbose: 'The AI project is subject to a quality management system with strategy for regulatory compliance'
@@ -433,6 +421,8 @@ quality_management_system:
433
  verbose: 'The quality management system that the AI project was subject to includes examination, test, and validation procedures before, during, and after development'
434
  value: !!bool false
435
 
 
 
436
  fundamental_rights_assessment:
437
  process: # Art. 27(1)(a)
438
  verbose: 'AI project has been subject to a fundamental rights impact assessment that includes a description of the deployer’s processes in which the AI project will be used in line with its intended purpose'
@@ -596,30 +586,4 @@ additional_provider_obligations: # apply these only if operator == provider and
596
  verbose: 'The AI project complies with accessibility requirements in accordance with Directives (EU) 2016/2102 and (EU) 2019/882'
597
  value: !!bool false
598
 
599
- additional_deployer_obligations: # apply these only if operator == deployer and ai_project_type == high_risk_ai_system
600
- accordance_with_instructions: # Article 26 (1)
601
- verbose: 'If operator is a deployer, that deployer has taken appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems'
602
- value: !!bool false
603
- human_oversight: # Article 26 (2)
604
- verbose: 'If operator is a deployer, that deployer has assigned human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support.'
605
- value: !!bool false
606
- relevant_input: # Article 26 (4)
607
- verbose: 'If operator is a deployer, to the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the AI project'
608
- value: !!bool false
609
- monitoring: # Article 26 (5)
610
- verbose: 'If operator is a deployer, that deployer shall monitor the operation of the AI project on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72'
611
- value: !!bool false
612
- monitoring: # Article 26 (6)
613
- verbose: 'If operator is a deployer, that deployer shall keep the logs automatically generated by the AI project to the extent such logs are under their control, for a period appropriate to the intended purpose of the AI project, of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.'
614
- value: !!bool false
615
- employees: # Article 26 (7)
616
- verbose: 'If operator is a deployer and an employer, before putting into service or using a AI project at the workplace, that deployers shall inform worker representatives and the affected workers that they will be subject to the use of the AI project.'
617
- value: !!bool false
618
- employees: # Article 26 (8)
619
- verbose: 'If operator is a deployer and a public authority, or Union institution, body, office or agency, that deployer shall register the AI project in the EU database per Article 49(3)'
620
- value: !!bool false
621
- employees: # Article 26 (9)
622
- verbose: 'If operator is a deployer and if applicable, the deployer used the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680'
623
- value: !!bool false
624
 
625
- # Couple more to add from Article 26, using same format
 
1
 
2
+ # Information related to high-level characteristics of AI project, including the role of the operator, their location, and where the output is used
3
 
4
+ operator_details:
5
  provider: # Art. 2
6
  verbose: 'The operator of this AI project is a natural or legal person, public authority, agency or other body that develops an AI project or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge'
7
  value: !!bool false
 
 
 
8
  eu_located: # Art. 2
9
  verbose: 'AI project operator has its place of establishment or location within the Union'
10
  value: !!bool True
11
  output_used: # Art. 2
12
  verbose: 'The output produced by the AI project is used in the Union'
13
  value: !!bool false
 
 
 
 
 
 
 
 
 
 
 
 
 
 
14
 
15
  eu_market_status:
16
  placed_on_market: # Art. 3(9)
 
41
  verbose: 'The cumulative amount of computation used for the training of the AI project, as measured in floating point operations (FLOPs), has been greater than 10^25'
42
  value: !!bool false
43
 
44
+ # Information related to the additional transparency requirements in Article 50, if applicable
45
+
46
  transparency_related:
47
  direct_user_interaction:
48
  verbose: 'The AI project is intended to interact directly with natural persons'
 
83
  verbose: 'AI project involves AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general purpose AI models with systemic risks'
84
  value: !!bool false
85
 
 
 
 
 
86
  # Information related to practices prohibited by the Act
87
 
88
  prohibited_practice:
 
122
  verbose: 'The AI project involves use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement stricly for the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years.'
123
  value: !!bool false
124
 
125
+ # Information related to whether or not the project, if an AI system, is a high-risk AI system
126
 
127
  high_risk_ai_system:
128
  safety_component: # Art. 6(1)(a)
 
180
  verbose: 'the AI project is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III.'
181
  value: !!bool false
182
 
183
+ # Information related to the risk management system requirements for high-risk AI systems (Article 9)
184
+
185
  risk_management_system:
186
  established: # Article 9
187
  verbose: 'A risk management system has been established, implemented, documented and maintained for the AI project'
 
210
  testing_threshold: # Art. 9(8)
211
  verbose: 'Testing has or will be performed before the AI project is placed on the market and has or will be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose'
212
  value: !!bool false
213
+ vulnerable_groups: #Art. 9(9)
214
+ verbose: 'Adverse impacts in the view of intended purpose the high-risk AI system on individuals under 18 and other vulnerable groups have been considered'
215
+ value: !!bool true
216
+ integration_with_other_laws: #Art. 9(10)
217
+ description: 'For providers subject to other Union law requirements, risk management procedures may be integrated or combined with those established under such law.'
218
+ value: !!bool true
219
 
220
+ # Information related to the risk management system requirements for high-risk AI systems (Article 11)
 
 
 
 
 
 
 
 
 
 
221
 
222
  technical_documentation:
223
  drawn_up: # Art. 11(1)
 
269
  ### verbose: 'The Technical Documentation includes a general description of the AI project that covers instructions for use for the deployer and a basic description of the user-interface provided, where applicable.'
270
  ### value: !!bool false
271
 
272
+ # Information related to the record keeping requirements for high-risk AI systems (Article 12)
273
 
274
  record_keeping:
275
  logging_generally: # Article 12(1)
 
300
  verbose: 'For the remote biometric identification systems high-risk AI systems referred to in point 1 (a), of Annex III, the logging capabilities shall provide, at a minimum, the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5)'
301
  value: !!bool false
302
 
303
+ # Information related to the requirements that the providers of high-risk AI systems provide certain information to deployers (Article 13)
304
+
305
  transparency_and_provision_of_information_to_deployers:
306
  interpretability: # Art. 13(1)
307
  verbose: 'AI project is designed and developed to ensure operation is sufficiently transparent for deployers to interpret output and use appropriately'
 
349
  verbose: 'Instructions include description of mechanisms for deployers to collect, store, and interpret logs, if applicable'
350
  value: !!bool false
351
 
352
+ # Information related to the human oversight requirements for high-risk AI systems (Article 14)
353
+
354
  human_oversight:
355
  designed: # Art. 14(1)
356
  verbose: 'AI project is designed and developed so as to be effectively overseen by natural persons during use, including through the use of appropriate human-machine interface tools'
 
380
  verbose: 'For Annex III point 1(a) systems, actions or decisions require verification by at least two competent persons, with exceptions for law enforcement, migration, border control, or asylum'
381
  value: !!bool false
382
 
383
+ # Information related to the accuracy, robustness, and cybersecurity requirements for high-risk AI systems (Article 15)
384
+
385
  accuracy_robustness_cybersecurity:
386
  design: # Art. 15(1)
387
  verbose: 'The AI project is designed and developed to achieve appropriate levels of accuracy, robustness, and cybersecurity, performing consistently throughout its lifecycle'
 
405
  verbose: 'The AI project includes technical solutions that address AI-specific vulnerabilities, including measures against data poisoning, model poisoning, adversarial examples, and confidentiality attacks'
406
  value: !!bool false
407
 
408
+ # Information related to the quality management system requirements for high-risk AI systems (Article 17)
409
+
410
  quality_management_system:
411
  quality_management_system: # Art. 17(1)(a)
412
  verbose: 'The AI project is subject to a quality management system with strategy for regulatory compliance'
 
421
  verbose: 'The quality management system that the AI project was subject to includes examination, test, and validation procedures before, during, and after development'
422
  value: !!bool false
423
 
424
+ # Information related to the fundamental rights assessment that is required of high-risk AI systems (Article 27)
425
+
426
  fundamental_rights_assessment:
427
  process: # Art. 27(1)(a)
428
  verbose: 'AI project has been subject to a fundamental rights impact assessment that includes a description of the deployer’s processes in which the AI project will be used in line with its intended purpose'
 
586
  verbose: 'The AI project complies with accessibility requirements in accordance with Directives (EU) 2016/2102 and (EU) 2019/882'
587
  value: !!bool false
588
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
589
 
 
utils.py CHANGED
@@ -55,26 +55,41 @@ def set_eu_market_status(project_variables, project_cc_yaml):
55
  return project_variables
56
 
57
 
58
- def check_within_scope(project_variables, project_cc_yaml):
 
 
 
 
 
 
 
 
 
 
 
 
59
 
60
  ai_system = project_variables['ai_project_type']['ai_system']
 
 
 
 
 
 
 
61
 
62
  if not check_excepted(project_cc_yaml):
63
- if provider and ((ai_system and (placed_on_market or put_into_service)) or (gpai_model and placed_on_market)): # Article 2.1(a)
64
- return True
65
- if deployer and eu_located: # Article 2.1(b)
66
- return True
67
- if (provider or deployer) and (ai_system and eu_located and output_used): # Article 2.1(c)
68
- return True
69
- if (importer or distributor) and ai_system: # Article 2.1(d)
70
  return True
71
- if product_manufacturer and ai_system and (placed_on_market or put_into_service): # Article 2.1(e)
72
  return True
73
  else:
 
74
  return False
75
 
76
  def check_excepted(project_cc_yaml):
77
  if project_cc_yaml['excepted']['scientific'] or project_cc_yaml['excepted']['pre_market'] or (ai_system and project_cc_yaml['excepted']['open_source_ai_system']) or (gpai_model and project_cc_yaml['excepted']['open_source_gpai_system']):
 
78
  return True
79
  else:
80
  return False
 
55
  return project_variables
56
 
57
 
58
+ def check_within_scope_cc(project_variables):
59
+
60
+ # Check that the person filling out the form (the operator) is in fact a provider;
61
+
62
+ if project_variables['operator_details']['provider']:
63
+ return True
64
+ else:
65
+ print("The initial versiton of the Compliance Cards System is for provider-side compliance analyses only.")
66
+ return False
67
+
68
+ def check_within_scope_act(project_variables, project_cc_yaml):
69
+
70
+ # Check that the project is within the scope of the Act
71
 
72
  ai_system = project_variables['ai_project_type']['ai_system']
73
+ gpai_model = project_variables['ai_project_type']['gpai_model']
74
+
75
+ placed_on_market = project_variables['eu_market_status']['placed_on_market']
76
+ put_into_service = project_variables['eu_market_status']['put_into_service']
77
+
78
+ eu_located = project_variables['operator_details']['eu_located']
79
+ output_used = project_variables['operator_details']['output_used']
80
 
81
  if not check_excepted(project_cc_yaml):
82
+ if ((ai_system and (placed_on_market or put_into_service)) or (gpai_model and placed_on_market)): # Article 2.1(a)
 
 
 
 
 
 
83
  return True
84
+ if (ai_system and eu_located and output_used): # Article 2.1(c)
85
  return True
86
  else:
87
+ print("Your project is not within the scope of the Act and its requirements.")
88
  return False
89
 
90
  def check_excepted(project_cc_yaml):
91
  if project_cc_yaml['excepted']['scientific'] or project_cc_yaml['excepted']['pre_market'] or (ai_system and project_cc_yaml['excepted']['open_source_ai_system']) or (gpai_model and project_cc_yaml['excepted']['open_source_gpai_system']):
92
+ print("Your project falls into one of the exemptions from the Act.")
93
  return True
94
  else:
95
  return False