Ensuring legal compliance when using algorithmic systems requires correct qualification of in-scope systems and correct risks categorization. AI AQT consists of dynamic questionnaires that help with:
Identification: AI systems, GDPR (profiling and solely automated decision-making) and high-impact algorithms.
Role and status: Your role in relation to the AI system (provider, deployer etc.) and usage status of the system (in use or in development).
Risk category: Prohibited and high risk AI systems, transparency requirements for certain AI systems.
Obligations: Requirements that follow from the AI Act depending on the role, status and risk category of the AI system.
AI AQT is developed open-source and can be used for free within your under the EUPL-1.2 license. All outcomes of the tool are shown in the below figure. The flowcharts of the questionnaires can also be found below.
Applying legal definitions in practice raises difficult questions. For example: What features distinguish AI from other algoritmic systems? And what criteria determine the risk category of an AI system? Standardized questionnaires can help govern algorithms efficiently. Questionnaires can be shared across the entire organization and can be processed centrally. AI AQT provides a clear and user-friendly approach and serves as a building block for compliance. Identification and risk classification are relevant not only in the context of the AI Act, but also in relation to the GDPR and additional policy instruments, such as the Algorithm Register Guidelines of the Dutch government.
Infographic – Flow of the AI AQT questionnaires
The outcomes of the tool are displayed in the figure below. The following categories are distinguished:
The first version of AI AQT was developed in collaboration with the Municipality of Amsterdam and has since been further developed by Algorithm Audit. The source code of the tool can be found on Github and can be (re)used under the EUPL-1.2 license. AI AQT is used by the following organisations:
Considerations and choices made during development of the questionnaires relating to the AI Act, guidelines from the European Commission on the definition of an AI system and AI Act Article 50 transparency obligations, GDPR Article 22 and guidelines of the EPDB and Dutch DPA (AP) and the Dutch Algorithm Register Guidelines are described in ‘AI AQT Documentation’.
Below’s policy briefing elaborates why the guidelines of the European Commission blur the interpretation of the AI system definition.
Using examples, we explain how the AI system definition and risk categories from the AI Act apply to real-world algorithmic applications.
Preventing prohibited automated decision-making
The above flowcharts for Questionnaire Identification represent the logic needed to assess whether an algorithmic system falls under one of the legal definitions: AI system, GDPR (profiling, solely automated decision-making) or high-impact algorithm. When using the questionnaire, users encounter questions only once. A complete flowchart of Questionnaire Identification with all paths and outcomes can be found here.
