[Review] EU AI Act Concepts

[DelaramGlp]

1. Do we want to add sources for the AI Act concepts, i.e. article numbers, or shall we wait for the official publication?

2. Definitions needed for  eu-aiact:FRIA and eu-aiact:HighRiskAIAssessment.

3. eu-aiact:AIOperator should be added as a parent for eu-aiact:AIProvider, eu-aiact:AIDeployer, eu-aiact:AIDistributor, eu-aiact:AIImporter, eu-aiact:AuthorisedRepresentative.

4. I think eu-aiact:ProductManufacturer needs to be added, though there is no definition for it.

5. The link to pd:Biometric is missing.

6. See more section for all the capabilities needs to be fixed "section [PURPOSE] [CAPABILITIES] (https://w3c.github.io/dpv/legal/eu/aiact/#vocab-purpose)". The links goes to the capability section but you might want to change the URL to https://w3c.github.io/dpv/legal/eu/aiact/#vocab-capability. Also, in the introduction taxonomy of purposes should be replaced with taxonomy of capabilities.

7. eu-aiaact:BiometricIdentityVerification: is it a Purpose or Capability?

8. eu-aiaact:EmotionRecognitionSystem: related terms aia:EmotionRecognition should be eu-aiact:EmotionRecognition

9. Based on the definition of eu-aiact:NationalCompetentAuthority, it is parent ofeu-aiact:NotifyingAuthority and  eu-aiact:MarketSurveillanceAuthority.

10. dpv:risk needs to be fixed: dpv:Risk with the following link: https://w3c.github.io/dpv/dpv/#Risk

11. risk:Misuse is missing in the risk extension.

[coolharsh55]

Hi. Thanks for the review.

1. Do we want to add sources for the AI Act concepts, i.e. article numbers, or shall we wait for the official publication?

Let's wait for official publication and article numbers.

2. Definitions needed for  `eu-aiact:FRIA` and `eu-aiact:HighRiskAIAssessment`.

Added: FRIA - An assessment undertaken to evaluate how the system might impact fundamental rights, and High Risk AI Assessment - An assessment undertaken to determine whether the AI system is classified as high-risk (we will replace with official descriptions from the final version?)

3. `eu-aiact:AIOperator` should be added as a parent for `eu-aiact:AIProvider`, `eu-aiact:AIDeployer`, `eu-aiact:AIDistributor`, `eu-aiact:AIImporter`, `eu-aiact:AuthorisedRepresentative`.

done

4. I think eu-aiact:ProductManufacturer needs to be added, though there is no definition for it. Okay, added as AIProductManufacturer for consistency with other terms, and with definition as "entity that manufactures the product" and parent as tech:Manufacturer

5. The link to pd:Biometric is missing. Where? Do you mean in the related field for term? If so, then it will be fixed with #161

6. See more section for all the capabilities needs to be fixed "section [PURPOSE] [CAPABILITIES] (https://w3c.github.io/dpv/legal/eu/aiact/#vocab-purpose)". The links goes to the capability section but you might want to change the URL to https://w3c.github.io/dpv/legal/eu/aiact/#vocab-capability.

   Also, in the introduction taxonomy of purposes should be replaced with taxonomy of capabilities. Thanks, this is probably left over from when we had 'purpose'. I've changed the module name to capability now.

7. eu-aiaact:BiometricIdentityVerification: is it a Purpose or Capability? In DPV identity verification is a purpose, so this would be a purpose here as well? It should have been a capability but that would mean going back and changing the DPV purposes list as well. For the AI Act, I'm fine if this is considered a capability for consistency for now.

8. eu-aiaact:EmotionRecognitionSystem: related terms aia:EmotionRecognition should be eu-aiact:EmotionRecognition fixed

9. Based on the definition of eu-aiact:NationalCompetentAuthority, it is parent ofeu-aiact:NotifyingAuthority and eu-aiact:MarketSurveillanceAuthority. added

10. dpv:risk needs to be fixed: dpv:Risk with the following link: https://w3c.github.io/dpv/dpv/#Risk Where? I found one in eu-aiact:Risk definition, fixed that.

11. risk:Misuse is missing in the risk extension. What would this be? A consequence? (I've added it to consequence for now)

[coolharsh55]

Implemented all of the above. See:

• AI Act https://dev.dpvcg.org/legal/eu/aiact/
• Misuse in Risk https://dev.dpvcg.org/risk/#Misuse

[DelaramGlp]

Thanks.

To me Misuse seems like a risk or risk source, but I'm not sure.

Shall we add Prohibited AI Assessment as well? Also we need a concept for Risk Management System.

For the next release, we need to add risk management concepts from Art. 9 and link them to ISO 31000 concepts (#74)

[coolharsh55]

Misuse can indeed be a risk/source - but we'll get to that when go through the entire taxonomy in next iteration. There can be too much overlap between consequence and risk source, so we should try to create a single taxonomy and let the use-case specify it as a risk source or consequence where possible (or declare it as both source and consequence). I don't think we will have a taxonomy of risks - because then how to distinguish between source, risk, and consequence - concepts can be any of those depending on the use-case.

Prohibited AI Assessment - your call.

Risk Management System - for AI Act or in RISK extension? I think it is a type of technology for performing in Risk Management (which should be in RISK extension)?

[DelaramGlp]

Agree, risk management system should go into the RISK extension.

[coolharsh55]

If you have a definition at hand - I can add it right away.

[DelaramGlp]

This is from the AI Act, Art. 9: The risk management system shall be understood as a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic review and updating.

This is from ISO 31000, 3.2: risk management: coordinated activities to direct and control an organization with regard to risk.

Looking into these definition, should risk management be added to RISK and risk management system to AI Act?

[coolharsh55]

From ISO 31073: risk management - coordinated activities to direct and control an organization with regard to risk; and risk management process - systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. I found this in ISO 42001: management system: set of interrelated or interacting elements of an organization to establish policies and objectives, as well as processes to achieve those objectives.

So seems to be pedantic differences in terms, e.g. to refer to the 'system' and the 'process'. We can put risk:RiskManagementProcess as subclass of risk:RiskManagement with a note stating that it is similar to 'risk management system' and using the 42001 definition, and then have eu-aiact:RiskManagementSystem be a subclass of risk:RiskManagementProcess. What do you think?

[DelaramGlp]

Makes sense.

[coolharsh55]

I added in risk:RiskManagement as the broad concept and didn't include RiskManagementProcess as I couldn't find a source for the term. eu-aiact:RiskManagementSystem as a subclass of risk:RiskManagement is clear and consistent with use of standards with the law. (reopen the issue if more changes are to be made)