Compliance with the EU AI Act The Techworks Trusted AI Bill Of Materials (TAIBOM) project

The EU AI Act, which is the world’s first comprehensive AI law, was unanimously approved by the EU council on May 21st 2024.

Deeply ingrained in this legislation is the requirement for AI systems to be trustworthy. Clearly, without trust in AI systems, it cannot be expected that they will be widely adopted.

From the EU AI Act Corrigendum [1]
“The purpose of this Regulation is to improve the functioning of the internal market by laying down a uniform legal framework………to promote the uptake of human centric and trustworthy artificial intelligence (AI) while ensuring a high level of protection of health, safety, fundamental rights….”

In developing the Act, the Commission appointed a High-Level Expert Group (HLEG). This Expert Group informed the view of trustworthiness in the Act and in particular defined seven principles:

• Human Agency and Oversight
• Technical Robustness and Safety
• Privacy and Data Governance
• Transparency
• Diversity, non-discrimination and fairness
• Societal and environmental well-being
• Accountability

Focussing on the more technical of the seven principles, it is possible to see how the composition of a given AI system must be controlled and protected, in order to have any claim of trustworthiness. From the HLEG document [2] , II.1

Requirements of Trustworthy AI

A cornerstone of trust is knowledge of and confidence in the components that make up a given AI system.

The Techworks TAIBOM (Trusted AI Bill Of Materials) project will provide a method of ensuring that this knowledge and confidence exists, by detailing all of the components of a given AI system, not just the software components (as is common in an SBOM [3] ) but all the other affecting components such as the hardware, training data, testing data, data provenance, weights, parameters, variables and so on, used in the system.

Furthermore, TAIBOM provides a way to protect the integrity of these components and to allows the integrity to be proven and verified by any user of the system.

Having visibility and confidence in the build of system is fundamental to meeting the main requirements for trustworthy AI.

Taking these in turn, a Trusted AI Bill Of Materials provides the following assurances:

Technical Robustness and Safety

Resilience to attack
Cryptographic methods ensure that the component integrity is preserved and that unauthorised alterations can be detected.

Security
Once an implementation has be verified, the system cannot be changed to attempt to compromise security. Updates can be made but cryptographic controls ensure the trustworthiness of the updates. Mechanisms exist to allow expiration of component validity to ensure security patches are made regularly.

Accuracy
A given implementation will retain the originally tested accuracy, since the composition is known and controlled.

Reliability
The tested reliability of the system cannot be compromised by deliberate or accidental alterations.

Reproducibility
Since the composition will always be identical, for every system (for instance in edge AI applications with multiple instances) the system behaviour will be reproducible between instances.

Privacy and data governance

Quality and integrity of data
The original data used for training and testing is preserved and controlled and can be inspected or evaluated at any time, if required.

Transparency

Traceability
TAIBOM provides full traceability of a given system, due to the strict version and cryptographic controls

Accountability

Auditability
Since the components in the TAIBOM are immutable, it is possible to have a complete audit trail of any changes made to any components – hardware, software, data, weights or parameters

We are actively seeking members for our TAIBOM cross Working Group (xWG). If you would like to join the xWG, please contact Gareth Richards.
[email protected]