6.4.13 · D4AI Safety & Alignment

Exercises — AI governance and regulation (EU AI Act)

2,943 words13 min readBack to topic

Before we start, two ideas appear everywhere, so we anchor them once.

Figure — AI governance and regulation (EU AI Act)

How to read the figure (in words, in case you can't see it): the horizontal axis lists the four tiers in order Minimal, Limited, High, Unacceptable. The vertical axis is "weight of legal obligation." Each tier is a coloured bar; the taller the bar, the heavier the legal duty. Minimal is a tiny green bar (no obligations), Limited a short blue bar (transparency only), High a tall orange bar (the full compliance stack), and Unacceptable the tallest red bar, marked "PROHIBITED" — a red arrow flags that this top bar is a hard wall with no compliance route, not just "more paperwork." This single picture answers most L1 and L2 questions.


Level 1 — Recognition

Goal: recall the categories and their labels. No reasoning chains yet — just "which box?"

Q1. Name the four risk tiers of the EU AI Act, from most dangerous to least dangerous.

Recall Solution

UnacceptableHighLimitedMinimal. Memory hook: U-H-L-M, "Ugh, Handle Lightly, Minimal." Top of the ladder is the red "banned" box; bottom is the green "do-what-you-like" box.

Q2. A website chatbot answers customer questions. Which tier does it fall into, and what is its one legal duty?

Recall Solution

Tier: Limited risk (the blue box). Duty: transparency (T1 — disclosure of AI use) — it must disclose to the user that they are talking to an AI, unless that is already obvious from context. Nothing more (no audits, no logs mandated).

Q3. True or false: a government "citizen trustworthiness score" that rates people by their everyday behaviour is merely high-risk and can be used if documented well.

Recall Solution

False. Government social scoring sits in the Unacceptable tier — it is prohibited outright. No amount of documentation makes it legal, because it violates human dignity and freedom of thought. Documentation is a high-risk remedy; it does not apply to a banned system.


Level 2 — Application

Goal: take a fresh scenario and apply the sorting rule and the obligations.

Q4. A hospital deploys AI that reads chest X-rays to flag possible lung cancer. (a) Which tier? (b) List three concrete obligations it must meet.

Recall Solution

(a) High risk — medical diagnosis affects health and safety; a wrong output can be life-threatening. (b) Any three of:

  • Accuracy to clinical standards (e.g. sensitivity target).
  • Robustness testing across scanner types, hospitals, and patient demographics.
  • Record-keeping — log each prediction with its confidence score for later dispute review.
  • Human oversight — a radiologist reviews the AI output; AI is a "second opinion," not the final word.
  • Data governance — diverse training data across age/ethnicity/disease stage.

Q5. A deepfake tool generates a realistic video of a public figure. Which tier, and what is the required action on the output?

Recall Solution

Tier: Limited risk (transparency tier). Required action: transparency (T2 — output labelling) — the generated media must be labelled as artificially generated / synthetic so viewers know it is not a genuine recording. Rationale: misinformation prevention + informed judgement.

Q6. A spam filter in an email client and an AI opponent in a video game — which tier, and what obligations?

Recall Solution

Both are Minimal risk (green box). Obligations: none mandated by the Act. The Act deliberately leaves the vast majority of everyday AI unburdened so innovation is not choked.


Level 3 — Analysis

Goal: compare cases, diagnose which rule triggers, and separate look-alikes.

Q7. Police A run live facial recognition on a crowd at a protest to identify everyone present. Police B, weeks later, review recorded CCTV footage to identify one specific suspect in a solved-crime file. Classify each and explain the difference.

Recall Solution
  • Police A: Unacceptable / prohibited. This is real-time remote biometric identification in public spaces for mass surveillance — banned (outside narrow, judicially-approved exceptions).
  • Police B: Allowed as post-event targeted analysis — it is not live, it is not blanket-scanning a crowd, and it operates within investigative oversight.
  • The dividing lines: (1) real-time vs post-event, (2) public space mass scan vs targeted specific investigation. Live crowd scanning creates a permanent chilling effect on public behaviour; post-hoc targeted review has oversight and a specific subject.

Q8. A hiring AI screens résumés. It is trained on 10 years of past hires that were 80% male. Which obligation is most directly at stake, and what test would you run?

Recall Solution

Most direct obligation: Data governance (quality and bias testing) — because AI learns patterns from data, and skewed data teaches a skewed model.

First, two fairness ideas in plain words (we define them before using them):

  • Demographic parity asks: do the groups get selected at the same rate? If 50% of men are picked but only 30% of women, that rate gap is a demographic-parity failure. It looks only at who gets chosen, ignoring who was actually qualified.
  • Equalized odds is stricter: among the people who truly deserved the job, is the "yes" rate the same across groups — and among those who didn't, is the "wrong-yes" rate the same too? It compares the AI against ground truth, not just raw selection counts.

Test: run these fairness metrics on a validation set and compare the numbers across groups.

Worked number — the four-fifths (80%) rule sanity check (a common demographic-parity screen): suppose the AI selects 50% of male applicants and 30% of female applicants. The impact ratio is Since , the system fails the four-fifths screen → strong sign of disparate impact (one group is harmed at a much higher rate), flagging a data-governance breach.

Q9. Two systems both use facial data. System X unlocks your personal phone with your face. System Y is a city network scanning every pedestrian in real time. Why is one fine and the other banned, even though "both use faces"?

Recall Solution

The surface feature (faces) is identical; the legal trigger is context.

  • System X: non-public, consenting, single-usernot "remote identification in public space." It sits in Minimal risk (green box) with no obligations under the Act — it is fully allowed.
  • System Y: remote, real-time, public, mass → this is exactly the Unacceptable / prohibited category — banned. The Act regulates the deployment context, not the raw technology. "Uses facial data" is not a classification; "real-time remote public mass identification" is.

Level 4 — Synthesis

Goal: combine multiple obligations into a coherent compliance design.

Q10. You are the compliance lead for a bank's loan-approval AI. Design a compliant deployment: state the tier and give the compliance stack (name each component and the harm it addresses).

Recall Solution

Tier: High risk (credit access is a listed critical domain; wrongful denial harms fundamental economic rights). Compliance stack — component → harm it prevents:

  1. Risk management system → you cannot mitigate risks you never enumerated (bias, error, exploitation).
  2. Data governance → skewed training data → biased approvals; test with fairness metrics (demographic parity / equalized odds, defined in Q8).
  3. Technical documentation → auditability when a rejected applicant complains.
  4. Record-keeping (logs) → traceability: reconstruct what data, what model, what decision.
  5. Transparency (T3 — right to contest) → applicant's right to know AI was used and to challenge the decision, with an explanation.
  6. Human oversight → a loan officer can override the model in context-heavy cases.
  7. Accuracy, robustness, cybersecurity → resist adversarial manipulation. (An adversarial example is a cleverly tweaked input designed to fool the model — see 6.4.4-Robustness-and-adversarial-examples for the full treatment.)

Q11. Chain three vault ideas: connect this loan AI's obligations to (i) a model that games its metric, (ii) the need to explain a decision, and (iii) why we still care beyond compliance.

Recall Solution
  • (i) Reward hacking = the AI scores well on its stated metric by exploiting a loophole rather than doing the intended job (e.g. maximising "approval accuracy" via a shortcut that quietly harms one group). Data governance + fairness testing is the countermeasure. Full topic: 6.4.2-Reward-hacking.
  • (ii) The applicant's right to contest (T3) requires the decision be explainable — you must be able to state why the model said no. That readability of a model's reasoning is interpretability. Logs alone are not enough if no one can read them. Full topic: 6.4.3-Interpretability-and-explainability.
  • (iii) Compliance is a floor, not a ceiling: the broader project of getting powerful systems to actually do what we intend is ongoing AI safety research (6.4.5-AI-safety-research), and its most severe motivation is the worry that very capable future systems could cause irreversible, civilisation-scale harm — long-term existential risk (6.4.12-Long-term-existential-risks).

Level 5 — Mastery

Goal: the messy, degenerate, or boundary case the rules don't spell out cleanly.

Q12. A toy company builds a voice-activated doll that, to keep children engaged, nudges them toward buying in-app upgrades and occasionally toward mildly unsafe "dares." Two different provisions could apply. Identify both, decide the final tier, and justify.

Recall Solution

Two candidate provisions:

  • Manipulative AI that exploits vulnerabilities of a specific group (here, children).
  • Subliminal techniques influencing behaviour below awareness. Both are Unacceptable / prohibited. Final tier: banned. Justification: it exploits the vulnerability of a protected group and undermines autonomy/informed consent — no transparency label or human-oversight bolt-on can rescue a prohibited purpose. (Contrast: an honest educational talking toy with clear disclosure and no manipulation would be limited-risk.)

Q13. A single deployment blends two tiers: a hospital's diagnostic AI (high-risk) also runs a patient-facing chatbot to explain results. How do you classify a mixed system, and what does compliance look like?

Recall Solution

Rule for mixed systems: classify each function by its own risk, and the deployment must satisfy the union (the strictest applicable set), not the average.

  • Diagnostic function → high-risk full stack (accuracy, robustness, logs, human oversight, data governance, documentation, right-to-contest).
  • Chatbot function → limited-risk transparency (T1 — disclose "you are talking to an AI"). Result: the chatbot's T1 disclosure duty stacks on top of, not instead of, the diagnostic high-risk obligations. You never let the lighter tier dilute the heavier one.

Q14. Degenerate case: an AI is developed and hosted entirely in another country, but EU residents use its outputs (e.g. it screens EU job applicants). Does the Act apply? What is the zero-case (no EU users at all)?

Recall Solution

Applies? Yes. The Act is triggered by use/effect within the EU market, not by where the system was built. A foreign-built hiring AI affecting EU applicants must comply as a high-risk system. Zero-case (no EU users, no EU market effect): the Act does not apply — jurisdiction is the limiting condition. As EU-market involvement → 0, obligations → 0. This mirrors the parent note: "regardless of where it's developed," but conditioned on the EU market.


Recall Self-test cloze — quick recall pass

The four tiers in order of danger ::: Unacceptable, High, Limited, Minimal A chatbot's single legal duty ::: transparency T1 (disclose it is AI) A deepfake's required action ::: transparency T2 (label the output as synthetic) The high-risk "right to contest" duty ::: transparency T3 (explain and allow a challenge) A prohibited system can be made legal with enough paperwork ::: No — prohibited is a hard wall A loan-approval AI's tier ::: High risk Demographic parity checks ::: whether groups are selected at equal rates Equalized odds checks ::: whether, against ground truth, correct-yes and wrong-yes rates match across groups Mixed-tier deployment obeys the ::: union / strictest applicable obligations The Act's jurisdiction is triggered by ::: use / effect in the EU market, not where it was built Four-fifths screen: impact ratio 0.30/0.50 = 0.60, which ::: fails (below 0.80) → disparate impact