AI Governance — EU AI Act Compliance, Risk Assessment, and Audit Logging

AI Governance — EU AI Act Compliance, Risk Assessment, and Audit Logging

AI 治理 — 欧盟《人工智能法案》合规性、风险评估与审计日志

Introduction: Through Chapter 7 (Multi-Agent), we have a complete, functioning AI system. The final step is building organizational infrastructure to operate AI safely over time. 引言:通过第七章(多智能体系统)的学习,我们已经拥有了一个完整且可运行的 AI 系统。最后一步是构建组织基础设施,以确保 AI 在长期运行中的安全性。

[Before] Technical safety: Security → Block malicious input; Evals → Measure quality. [Now] Organizational / regulatory safety: Governance → Know what AI systems are in use; Risk mgmt → Classify and assess risks; Audit logs → Record who did what, when; EU AI Act → Regulatory compliance. [过去] 技术安全:安全性 → 拦截恶意输入;评估 → 衡量质量。 [现在] 组织/监管安全:治理 → 掌握正在使用的 AI 系统;风险管理 → 分类并评估风险;审计日志 → 记录谁在何时做了什么;欧盟《人工智能法案》→ 监管合规。

EU AI Act Status (as of June 2026): The EU AI Act came into force on August 1, 2024, with full enforcement on August 2, 2026. Transparency rules (disclosing when users are interacting with AI, labeling AI-generated content) also take effect on that date. 欧盟《人工智能法案》状态(截至 2026 年 6 月):欧盟《人工智能法案》于 2024 年 8 月 1 日生效,并于 2026 年 8 月 2 日全面实施。透明度规则(披露用户何时与 AI 交互、标记 AI 生成的内容)也将于该日期生效。

AI systems are classified into three risk tiers: AI 系统分为三个风险等级:

Risk LevelDescriptionExamples
ProhibitedNot permittedSocial scoring, manipulative AI
High RiskStrict regulationHiring, credit scoring, law enforcement
Limited RiskTransparency obligationsChatbots, AI-generated content
Minimal RiskNo regulationSpam filters, game AI
风险等级描述示例
禁止类不允许使用社会信用评分、操纵性 AI
高风险严格监管招聘、信用评分、执法
有限风险透明度义务聊天机器人、AI 生成内容
最低风险无需监管垃圾邮件过滤器、游戏 AI

Our RAG system’s classification: Limited Risk (chatbot). We are required to disclose to users that they are interacting with AI. 我们 RAG 系统的分类:有限风险(聊天机器人)。我们必须向用户披露他们正在与 AI 进行交互。

Directory Structure: 目录结构:

pgvector-tutorial/
├── existing files
└── governance/
    ├── ai_registry.py      # ★ AI system inventory
    ├── risk_assessor.py    # ★ Risk assessment
    ├── audit_logger.py     # ★ Audit logging
    └── compliant_rag.py    # ★ Governance-compliant RAG
  1. AI System Inventory — governance/ai_registry.py Most organizations lack a systematic inventory of their AI systems, making risk classification and compliance planning difficult. Knowing what you have is the essential first step.
  2. AI 系统清单 — governance/ai_registry.py 大多数组织缺乏对其 AI 系统的系统性清单,这使得风险分类和合规规划变得困难。了解你拥有什么,是至关重要的第一步。
# governance/ai_registry.py
"""
AI system inventory
Centrally manage all AI systems in use across the organization. 
Forms the foundation for technical documentation required by EU AI Act Annex IV.
"""
# governance/ai_registry.py
"""
AI 系统清单
集中管理组织内所有正在使用的 AI 系统。
为欧盟《人工智能法案》附件 IV 所要求的技术文档奠定基础。
"""

(Code snippet omitted for brevity, focusing on the structure provided in the prompt) (为保持简洁,此处省略代码片段,重点关注原文提供的结构)

  1. Risk Assessment — governance/risk_assessor.py

governance/risk_assessor.py

""" Risk assessment module Quantitatively assess AI system risk. Supports the EU AI Act risk-based approach. """ 2. 风险评估 — governance/risk_assessor.py

governance/risk_assessor.py

""" 风险评估模块 定量评估 AI 系统风险。支持欧盟《人工智能法案》基于风险的方法。 """