The AI Act is complicated legislation because it aims to regulate a ‘family’ of complex technologies with an extensive set of requirements and obligations that will apply to specific AI systems or AI systems used in specific use cases. In addition, the AI Act interacts with other impactful regulations such as the GDPR and copyright law, and has some consumer law characteristics (on the transparency side). This means that stakeholders from different functions within your organization should join forces, and that they should look at the AI Act collectively.
Considering that the exact content and timings of the AI Act will become more clear over the next few months, this is the perfect moment to start preparing and to start focusing on the ‘who side’. Who do I need in the team that deals with the AI Act? Who should be accountable and responsible for adherence to this act? Who is already dealing with other legislation regarding the digital technologies that I am using, and are there overlapping requirements and obligations?
In other words: start working now on your new Target Operating Model that incorporates the AI Act in your existing organization. Determine what capacities you already have, which new ones you’ll need and what training people require. Addressing technology, data and cyber legislation in general and the AI Act more in particular, requires a multi-disciplinary approach and not as a one off, but in a sustainable and clear governance. Subject Matter Experts with different backgrounds and from different functions benefit from such governance. By doing so you will ensure alignment to the AI Act with other (upcoming) rules and regulations (in the legislative pipeline) on e.g. data and cyber, preventing double work and other inefficiencies while increasing knowledge sharing.
Other no regret activities that you can start performing include: map the AI systems you are using and for what purpose, determine the risk level of the AI systems and determine your role in the supply chain. As for compliance, you can learn from the GDPR. Which processes, tools, guidance, and self-assessments can you ‘refurbish’ for AI Act compliance?