AI Governance — EU AI Act Compliance, Risk Assessment, and Audit Logging
AI Governance — EU AI Act Compliance, Risk Assessment, and Audit Logging
AI 治理 — 欧盟《人工智能法案》合规性、风险评估与审计日志
Introduction: Through Chapter 7 (Multi-Agent), we have a complete, functioning AI system. The final step is building organizational infrastructure to operate AI safely over time. 引言:通过第七章(多智能体系统)的学习,我们已经拥有了一个完整且可运行的 AI 系统。最后一步是构建组织基础设施,以确保 AI 在长期运行中的安全性。
[Before] Technical safety: Security → Block malicious input; Evals → Measure quality. [Now] Organizational / regulatory safety: Governance → Know what AI systems are in use; Risk mgmt → Classify and assess risks; Audit logs → Record who did what, when; EU AI Act → Regulatory compliance. [过去] 技术安全:安全性 → 拦截恶意输入;评估 → 衡量质量。 [现在] 组织/监管安全:治理 → 掌握正在使用的 AI 系统;风险管理 → 分类并评估风险;审计日志 → 记录谁在何时做了什么;欧盟《人工智能法案》→ 监管合规。
EU AI Act Status (as of June 2026): The EU AI Act came into force on August 1, 2024, with full enforcement on August 2, 2026. Transparency rules (disclosing when users are interacting with AI, labeling AI-generated content) also take effect on that date. 欧盟《人工智能法案》状态(截至 2026 年 6 月):欧盟《人工智能法案》于 2024 年 8 月 1 日生效,并于 2026 年 8 月 2 日全面实施。透明度规则(披露用户何时与 AI 交互、标记 AI 生成的内容)也将于该日期生效。
AI systems are classified into three risk tiers: AI 系统分为三个风险等级:
| Risk Level | Description | Examples |
|---|---|---|
| Prohibited | Not permitted | Social scoring, manipulative AI |
| High Risk | Strict regulation | Hiring, credit scoring, law enforcement |
| Limited Risk | Transparency obligations | Chatbots, AI-generated content |
| Minimal Risk | No regulation | Spam filters, game AI |
| 风险等级 | 描述 | 示例 |
|---|---|---|
| 禁止类 | 不允许使用 | 社会信用评分、操纵性 AI |
| 高风险 | 严格监管 | 招聘、信用评分、执法 |
| 有限风险 | 透明度义务 | 聊天机器人、AI 生成内容 |
| 最低风险 | 无需监管 | 垃圾邮件过滤器、游戏 AI |
Our RAG system’s classification: Limited Risk (chatbot). We are required to disclose to users that they are interacting with AI. 我们 RAG 系统的分类:有限风险(聊天机器人)。我们必须向用户披露他们正在与 AI 进行交互。
Directory Structure: 目录结构:
pgvector-tutorial/
├── existing files
└── governance/
├── ai_registry.py # ★ AI system inventory
├── risk_assessor.py # ★ Risk assessment
├── audit_logger.py # ★ Audit logging
└── compliant_rag.py # ★ Governance-compliant RAG
- AI System Inventory — governance/ai_registry.py Most organizations lack a systematic inventory of their AI systems, making risk classification and compliance planning difficult. Knowing what you have is the essential first step.
- AI 系统清单 — governance/ai_registry.py 大多数组织缺乏对其 AI 系统的系统性清单,这使得风险分类和合规规划变得困难。了解你拥有什么,是至关重要的第一步。
# governance/ai_registry.py
"""
AI system inventory
Centrally manage all AI systems in use across the organization.
Forms the foundation for technical documentation required by EU AI Act Annex IV.
"""
# governance/ai_registry.py
"""
AI 系统清单
集中管理组织内所有正在使用的 AI 系统。
为欧盟《人工智能法案》附件 IV 所要求的技术文档奠定基础。
"""
(Code snippet omitted for brevity, focusing on the structure provided in the prompt) (为保持简洁,此处省略代码片段,重点关注原文提供的结构)
- Risk Assessment — governance/risk_assessor.py
governance/risk_assessor.py
""" Risk assessment module Quantitatively assess AI system risk. Supports the EU AI Act risk-based approach. """ 2. 风险评估 — governance/risk_assessor.py
governance/risk_assessor.py
""" 风险评估模块 定量评估 AI 系统风险。支持欧盟《人工智能法案》基于风险的方法。 """