Estonia’s Information Systems Authority published a comprehensive report on 27 May 2024, titled “Risks and Controls for Artificial Intelligence and Machine Learning Systems”. This report aims to support the implementation of AI technology by providing detailed guidance on ensuring cybersecurity, fulfilling legal requirements, and maintaining societal safety.
Historical Context and Definitions
The report begins with an overview of the history of AI, detailing its evolution from early cybernetic studies to modern machine learning and large language models. Definitions and abbreviations for common AI terms are provided to ensure clarity.
AI Applications and Trends
The report discusses various use cases for AI, emphasizing its potential to add value across multiple sectors. It highlights trends such as the shift from general-purpose to special-purpose AI, the movement towards open-source models, and the increasing regulatory landscape, including the EU AI Act and the draft AI Liability Directive.
Legal Aspects
Legal considerations are thoroughly reviewed, focusing on international initiatives, EU proposals, and specific regulations. The legal roles of AI system stakeholders are examined through the lenses of GDPR and the AI Act.
Deployment Models and Risk Assessment
Three deployment models for AI applications are presented:
- using an AI API,
- implementing an external AI model, and
- using an in-house AI model.
The report outlines associated risks and offers a detailed risk management methodology. Section 5.2 covers information security risks, legal risks, and specific AI risks, including attacks against AI systems.
Practical Controls and Recommendations
Section 6 reviews controls for mitigating AI-specific risks, including improving AI system quality and safety, and addressing technological and societal risks. Policy recommendations are summarized to promote safe AI application in Estonia.
Quick Reference Guide
The most practical part of the report is Section 8, a quick reference guide for organizations.
It includes steps for describing AI systems, finding suitable deployment models, identifying applicable laws, evaluating threats, and selecting appropriate controls. The guide is designed to help organizations implement AI safely and effectively, with worksheets and decision charts to facilitate the process.
👉 Find the report here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
