6.4.13 · HinglishAI Safety & Alignment

AI governance and regulation (EU AI Act)

3,690 words17 min readRead in English

6.4.13 · AI-ML › AI Safety & Alignment

EU AI Act Kya Hai?

Chaar Risk Categories

Act AI ko chaar tiers mein divide karta hai:

┌─────────────────────────┐
│  UNACCEPTABLE RISK → PROHIBITED         │
│  (Social scoring, real-time biometric   │
│   surveillance in public, manipulation) │
└────────────────────────┘
           ↓
┌────────────────────────────────┐
│  HIGH RISK → STRICT REQUIREMENTS        │
│  (Critical infrastructure, employment,  │
│   education, law enforcement, medical)  │
└────────────────────────┘
           ↓
┌─────────────────────────────┐
│  LIMITED RISK → TRANSPARENCY ONLY       │
│  (Chatbots, deepfakes, emotion recog.)  │
└────────────────────────┘
           ↓
┌────────────────────────────────┐
│  MINIMAL RISK → NO OBLIGATIONS          │
│  (AI-enabled games, spam filters)       │
└────────────────────────┘

Yeh structure KYUN hai?

  • Unacceptable risk: Jo systems fundamentally human rights violate karte hain, unhe seedha ban kiya jaata hai (koi gradual phase-in nahi).
  • High risk: Jo systems safety/fundamental rights ko affect karte hain, unhe rigorous testing, documentation, aur human oversight chahiye.
  • Limited risk: Transparency users ko informed choices karne deti hai ("Yeh text AI-generated tha").
  • Minimal risk: Zyada tar AI applications—innovation par burden daalne ki koi wajah nahi.

High-Risk AI Requirements: Compliance Ka Core

Example 1: Hiring AI System (High-Risk)

Scenario: Ek company job applications screen karne ke liye AI use karti hai.

Yeh high-risk kyun hai: Employment ek fundamental right hai; biased AI discriminate kar sakta hai.

Compliance steps:

  1. Risk Management:

    • Hum kya karte hain: Risks identify karo (gender bias, age bias, accessibility issues).
    • Yeh step kyun?: Jo risks identify nahi hue, unhe mitigate nahi kar sakte. Proactive thinking force hoti hai.
  2. Data Governance:

    • Hum kya karte hain: Ensure karo ki training data diverse demographics represent kare; protected attributes ke across bias test karo.
    • Yeh step kyun?: AI data se patterns seekhta hai. Agar training data certain groups ko overrepresent kare, toh model bhi wahi karega.
    • Check: Validation set par fairness metrics (demographic parity, equalized odds) run karo.
  3. Technical Documentation:

    • Hum kya karte hain: Model architecture, training data sources, performance metrics, known limitations document karo.
    • Yeh step kyun?: Auditability. Agar koi rejected candidate complain kare, toh regulators ko samajhna hoga ki decisions kaise hue.
  4. Human Oversight:

    • Hum kya karte hain: HR staff final decisions se pehle AI recommendations review kare; override kar sake.
    • Yeh step kyun?: AI woh patterns pakadta hai jo humans miss karte hain, lekin humans woh context pakad lete hain jo AI miss karta hai. Complementary strengths hain.
  5. Transparency:

    • Hum kya karte hain: Applicants ko inform karo ki AI use ho raha hai; decision factors ki explanation do.
    • Yeh step kyun?: Applicants ka haq hai jaanne ka aur automated decisions ko contest karne ka.

Prohibited AI Systems: Lal Lakeerein

Derivation: Yeh prohibitions EU Charter of Fundamental Rights se derive hoti hain:

  • Social scoring → dignity (Art. 1), freedom of thought (Art. 10) violate karta hai
  • Mass biometric surveillance → privacy (Art. 7, 8) violate karta hai
  • Manipulation → autonomy aur dignity violate karta hai

Limited Risk: Transparency Tier

General-Purpose AI (GPAI) aur Foundation Models

Act mein general-purpose AI (GPAI) jaise GPT, DALL-E, LLaMA—jinhe kisi specific use case ke liye design nahi kiya gaya—ke liye special provisions hain.

Example chain:

  1. OpenAI GPT-5 train karta hai → GPAI provider obligations (training data document karo, systemic risks test karo)
  2. Hospital GPT-5 khareedta hai ek diagnostic chatbot banane ke liye → High-risk AI obligations (clinical validation, human oversight, etc.)

Agar diagnostic chatbot fail ho, toh dono OpenAI aur hospital liable ho sakte hain (depend karta hai ki failure kahan se aayi).

Enforcement aur Penalties

EU AI Act Globally Kyun Matter Karta Hai

Practical Compliance Workflow

Ek high-risk AI system deploy karne wali company ke liye:

Step 1: Risk Assessment
   ↓
Is it high-risk? (Check Annex III of Act)
   ├─ No → Transparency requirements only (if limited risk)
   └─ Yes↓
Step 2: Data Governance
   ↓
Audit training data for quality, bias
   ↓
Step 3: Technical Documentation
   ↓
Document architecture, training process, performance
   ↓
Step 4: Testing & Validation
   ↓
Test on representative data; compute fairness/accuracy metrics
   ↓
Step 5: Human Oversight Design
   ↓
Define human review points, override mechanisms
   ↓
Step 6: Conformity Assessment
   ↓
Self-assessment or third-party audit (depends on system type)
   ↓
Step 7: CE Marking & Registration
   ↓
Register in EU database; afix CE mark to product
   ↓
Step 8: Post-Market Monitoring
   ↓
Log incidents, retrain as needed, report serious issues

Time estimate: Full compliance ke liye 6-18 months (system complexity par depend karta hai).

Cost estimate: €100k–€5M (legal, technical, audit costs).

Recall Feynman Explanation for a 12-Year-Old

Imagine karo tumne ek robot banaya jo teachers ko homework grade karne mein help karta hai. Woh bahut smart hai aur bahut time bachata hai! Lekin kya hoga agar robot galti se certain neighborhoods ke bachon ko kharab grades de kyunki usne biased past data se seekha? Yeh toh fair nahi hai, na?

EU AI Act robots aur AI ke liye ek rulebook ki tarah hai. Yeh kehta hai:

  1. Dangerous robots ban hain (jaise robots jo sabko spy karein ya logon ko trick karein).
  2. Important robots ko extra careful rehna hoga (jaise robots jo homework grade karein ya doctors ki help karein). Unhe test karna hoga ki woh fair hain, aur human hamesha unka kaam check kare.
  3. Chatbots ko honest rehna hoga ("Hi, main ek robot hoon!" instead of human hone ka pretend karna).
  4. Simple robots kuch bhi kar sakte hain (jaise chess khelne wala robot ya spam filter).

Hume yeh kyun chahiye? Kyunki AI bahut powerful hota ja raha hai, aur agar rules na ho, toh koi aisa robot bana sakta hai jo unfair decisions le (jaise logon ko unke naam ya skin color ki wajah se jobs ke liye reject kare) ya logon ko unke bina jaane spy kare. Rules ensure karte hain ki AI logon ki help kare bina unhe hurt kiye.

Yeh waise hi hai jaise cars chalane ke rules hain: tumhe license chahiye, car mein seatbelts aur airbags hone chahiye, aur tum footpath par drive nahi kar sakte. Same idea—rules powerful cheezon ko safe rakhte hain!

Connections

  • 6.4.1-Value-alignmentproblem: AI Act alignment ka ek governance solution hai. Jahan technical alignment ensure karta hai ki AI wahi kare jo hum chahte hain, regulation ensure karti hai ki jo hum chahte hain woh humane ho.
  • 6.4.2-Reward-hacking: High-risk requirements (human oversight, logging) detect karne mein help karte hain jab deployed AI metrics ko harmful ways mein "game" kare.
  • 6.4.3-Interpretability-and-explainability: Explainability high-risk systems ke liye "transparency" requirements ke under mandated hai—directly relevant.
  • 6.4.4-Robustness-and-adversarial-examples: Robustness testing ek compliance requirement hai. Act adversarial defenses par research incentivize karta hai.
  • 6.4.5-AI-safety-research: Act AI safety research fund karta hai; certification bodies ko standards chahiye, jo safety research provide karti hai.
  • 6.4.12-Long-term-existential-risks: Act near-term harms (bias, privacy) address karta hai. Long-term risks (AGI alignment) scope se bahar hain, lekin GPAI systemic risk provisions ek step hain.

#flashcards/ai-ml

EU AI Act ke regulatory approach ka core principle kya hai? :: Risk-based approach—AI systems ko risk level ke hisaab se classify kiya jaata hai (unacceptable, high, limited, minimal), zyada risk wale systems par stricter requirements hoti hain.

EU AI Act mein chaar risk categories kya hain?
1) Unacceptable (prohibited), 2) High-risk (strict requirements), 3) Limited risk (transparency only), 4) Minimal risk (no obligations).
EU AI Act ke under prohibited (unacceptable risk) AI systems ke do examples do.
1) Governments dwara social scoring, 2) Public spaces mein real-time remote biometric identification (narrow exceptions ke saath).
High-risk AI systems ke saat core requirements kya hain?
1) Risk management, 2) Data governance, 3) Technical documentation, 4) Record-keeping, 5) Transparency, 6) Human oversight, 7) Accuracy/robustness/cybersecurity.
Hiring AI system ko high-risk kyun classify kiya jaata hai?
Employment ek fundamental right hai; biased AI protected groups ke saath discriminate kar sakta hai, equality principles violate karte hue.
EU AI Act ke under limited-risk AI systems (jaise chatbots) ko kya karna chahiye?
Users ko disclose karo ki woh AI ke saath interact kar rahe hain (transparency obligation).
Prohibited AI systems deploy karne par penalty kya hai?
€35 million tak ya global annual revenue ka 7%, jo bhi zyada ho.
Act ke under GPAI (general-purpose AI) obligations kya hain?
Providers ko model documentation (capabilities, limitations, data sources) publish karna hoga, copyright compliance ensure karni hogi, aur bahut bade models ke liye systemic risk evaluations karne honge.
EU AI Act ke context mein "Brussels Effect" kya hai?
Non-EU companies bhi aksar EU AI Act globally follow karti hain kyunki 1) EU market access milta hai, 2) do versions banana inefficient hai, 3) yeh ek de facto global standard ban jaata hai jo dusre jurisdictions copy karte hain.
EU AI Act high-risk systems ke liye human oversight kyun require karta hai?
Edge cases aur context jo AI miss kare unhe pakadne ke liye, AI decisions ko override karne ke liye, aur accountability maintain karne ke liye (insaan zimmedaar hain, machines nahi).

Banned real-time biometric surveillance aur allowed post-event analysis mein kya farq hai? :: Public mein real-time scanning mass surveillance aur chilling effects create karta hai; specific crimes ke baad post-hoc targeted analysis (judicial oversight ke saath) ka investigative purpose hota hai.

Act high-risk AI ke liye data governance kyun mandate karta hai?
Biased ya low-quality training data se biased/inaccurate AI decisions hoti hain; data governance ensure karta hai ki training data representative ho aur deployment se pehle bias ke liye test ki gayi ho.

Concept Map

rules of the road

core principle

classifies into

tier 1

tier 2

tier 3

tier 4

leads to

requires

requires

requires

derived from

needs traceability

needs quality control

needs safety net

AI Governance

EU AI Act 2024

Risk-Based Approach

Four Risk Categories

Unacceptable Risk

High Risk

Limited Risk

Minimal Risk

Prohibited Outright

Strict Compliance

Transparency Only

No Obligations

Harm Prevention Model

Documentation and Logs

Data Governance and Bias Testing

Human Oversight