歐盟EDPB《人工智能審計(jì)檢查清單（英文版）》

SUPPORTPOOL

OFEXPERTSPROGRAMME

AIAuditing

ChecklistforAIAuditing

byDr.GemmaGALDONCLAVELL

AIAuditing-ChecklistforAIAuditing

2

AspartoftheSPEprogramme,theEDPBmaycommissioncontractorstoprovidereportsandtoolsonspecifictopics.

TheviewsexpressedinthedeliverablesarethoseoftheirauthorsandtheydonotnecessarilyreflecttheofficialpositionoftheEDPB.TheEDPBdoesnotguaranteetheaccuracyoftheinformation

includedinthedeliverables.NeithertheEDPBnoranypersonactingontheEDPB’sbehalfmaybeheldresponsibleforanyusethatmaybemadeoftheinformationcontainedinthedeliverables.

Someexcerptsmayberedactedorremovedfromthedeliverablesastheirpublicationwould

underminetheprotectionoflegitimateinterests,including,interalia,theprivacyandintegrityofanindividualregardingtheprotectionofpersonaldatainaccordancewithRegulation(EU)2018/1725and/orthecommercialinterestsofanaturalorlegalperson.

AIAuditing-ChecklistforAIAuditing

3

TableofContents

1.Introduction 4

2.Scopeofalgorithmicauditing 4

3.Auditingprocess 5

3.1.Modelcard 5

3.2.Systemmap 7

3.3.Momentsandsourcesofbias 12

3.4.Biastesting 18

3.5.Adversarialaudit(optional) 19

4.Theauditreport 19

DocumentsubmittedinJanuary2023

AIAuditing-ChecklistforAIAuditing

4

1.Introduction

AlgorithmicauditingisawaytoinspectAIsystemsintheirspecificcontexts.Itisanapproachandmethodologythatallowsforadynamicappraisalofregulation,standardsandimpacts.Ifitsresultsarepublic,itisalsoatoolfortransparencyandaccountability.

AIauditsarekeytoolsforregulatorsandsociety,whocanuseauditreportstoassesshowsystemsworkandtheirimpacts.ButtheyarealsousefulforthosedevelopingandacquiringAIsystems.Anend-to-end,socio-technicalapproachliketheoneproposedheregeneratesdocumentationthatimprovessystemaccountability,organizationalmemoryandcompliancewithAIanddataregulations.ForthoseacquiringandincorporatingAIsystemsintotheiroperations,auditsprovidecrucialevidencethatenableduediligenceandproperassessmentandcomparisonofthecharacteristicsbetweendifferentsystemsandvendors.

TheAIauditchecklistproposedisspecificallyfocusedonAIimpacts.ThismeansthatwhileitgathersinformationoncomplianceandtrustandsafetymechanismsbothbeforeandafteranAIsystemislaunched,thefocusoftheauditistovalidatethatAIdevelopersandimplementorshavetakenallnecessarymeasures,atalldifferentstages,tomakesurethattheimpactsoftheirsystemsareinlinewithexistinglaws,trustandsafetybestpracticesandsocietalexpectations.

Itshouldbenotedthatanauditprocessintheframeworkofthecontrollerimplementationoftheaccountabilityprincipleandtheinspection/investigationcarriedoutbyaSupervisoryAuthoritycouldbedifferent.Suchdifferencesrely,amongothers,inthefinalpurposeofbothactivities(theSAcoulddotheinspectiontogetevidenceofaninfringement),thescope(limitedtotheGDPR:appliesonpersonaldataprocessingactivitiesbutnotontechnologies)andthenationalregulationsregardinginspectionbycontrolauthorities.

Thisdocumentincludesamethodologyintheformofacheck-listtoperformanauditofanAIsystem.WedefineanAIsystemasalogicwithaspecificoutcome.AnAIsystemmaybecomposedofseveralalgorithms,andanAIserviceorproductmayincludeseveralAIsystems.

Inaddition,itshouldbenotedthattherearedifferenttechniquesfordevelopingartificialintelligence

1

.Thisdocumentisfocusedonauditinganalgorithmforartificialintelligencebasedonmachinelearning,whereitslifecycleisdividedinthreetotallyindependentstagesfromthepointofviewofdataprocessingandthesestagesare:algorithmtraining(pre-processing),theoperationofthealgorithmimplementingone(ormorethanone)operationintheframeworkofapersonaldataprocessing(in-processing–inference)andthedecisionmakingandimpactofthesameintheprocessing(post-processing–modeldeployment).Itcouldbeafourthone,thatisthealgorithmevolution.Allofthosestagescouldbedifferentprocessingactivitiesandcouldinvolvedifferentcontrollers.

2.Scopeofalgorithmicauditing

Anend-to-end,socio-technicalalgorithmicaudit(E2EST/AA)shouldinspectasystemintheactualimplementation,processingactivityandrunningcontext,lookingatthespecificdatausedandthedatasubjectsimpacted.Itisanend-to-endapproachbecauseitrecognizesthatalgorithmicsystemsworkwithdataproducedbycomplexandimperfectindividualsandsocieties,andoperateandinterveneincomplexsocialandorganizationalcontexts.Thus,AIsystemsaredeeplysocio-technical,andafocusontechnicalissueswouldfailtoincorporatebothproblemsandpossibilitiesforsystem

1TherearedifferentapproachestoAI-basedsolutions:neuralnetworks,rule-basedsystems,fuzzylogic,machinelearning,expertsystems,adaptivesystems,geneticalgorithms,multi-agentsystems,etc.

AIAuditing-ChecklistforAIAuditing

5

improvementandimpacttestingthatgobeyondin-processing.Infact,mostoftheE2EST/AAfocusesonpre-processingandpost-processingstagesofthatalgorithmiclife-cycle.Modelsandsystemsthathaveoptimalperformanceandaccuracyratesin-processingmayperformininefficientorharmfulwayswhenauditedend-to-endandusingsocialandtechnicalmeans.

TheE2EST/AAprocessisdesignedtoinspectalgorithmicsystemsusedinranking,imagerecognitionandnaturallanguageprocessing.Itworkswithsystemsthatmakedecisionsonindividualsorgroupsbasedonknowndatasources,regardlessofwhethertheyusemachinelearningorclassiccomputing.Thisdefinitionincludesmostsystemsusedbythepublicandprivatesectorstomakedecisionsonresourceallocation,categorizationandidentification/verificationinsectorssuchashealth,education,security,financeandforapplicationslikefrauddetection,hiring,operationsmanagement,orprediction/riskassessment.

TheE2EST/AAisfocusedonbiasassessment,butnotlimitedtoit.ThemethodologytocarryoutanE2EST/AAincorporatesquestionsrelatedtobroadersocialimpactanddesirability,aswellastheincorporationofend-usersinthedesignprocessandtheexistenceofrecoursemechanismsforthoseimpactedbyalgorithmicsystems.Forasystemtopassanalgorithmicaudit,issuesofimpact,proportionality,participationandresourcemustbetackled.

Aclearlimitationofanyauditprocessisthatitisbasedinanexistingsystem.Thismeansthatanauditmethodologydoesnotpromptareflectiononwhetherasystemshouldexistinthefirstplace.

3.Auditingprocess

AnE2EST/AAisaniterativeprocessofinteractionbetweentheauditor/sandthedevelopmentteam/s.Themethodprovidestemplatesandinstructionstoguidesuchinteraction,specifyingthedatainputsthatarenecessaryforauditorstocompletetheassessmentandvalidateresults.

3.1.Modelcard

ModelcardsaredocumentsdesignedtocompileinformationaboutthetrainingandtestingofAImodels,aswellasthefeaturesandthemotivationsofagivendatasetoralgorithmicmodel.Asamplemodelcardliketheoneproposedbelowcanbeusedandslightlyadaptedtodifferentsystemsorcomplianceconcerns.

Generalinformation

oSystemname/codeandversion(5.2GDPR)

oLeafletversionandversionhistory(5.2GDPR)

oSystemownerandsuppliersdata

oSuppliers’role

oRisklevel(AIAct)

oGovernanceroles(ChapterIVGDPR)

oDistributiondate(5.2GDPR)

oExistingdocumentation

Informationonprocess

oDescriptionofintendedpurposes,uses,contextandrole/serviceprovided(Article5.1.b,5.2and24.1GDPR)

oStakeholderinvolvement

oOrganizationalcontext

oHumanrole/s

6

Informationontraining/validationdata

oDatasources/collectionmethodology(Articles5and9GDPR)

oDatatypesandcharacteristics(Article5.1.a,bGDPR)

oPrivacybyDesign(Article25GDPR)

oDatasets(Article5.1.a,bGDPR)

Informationonthemodel

oMethod/susedandjustification

oSimplifiedoutput/s

oDecisionvariables

oObjectivefunction/s(Article5.1.dGDPR)

Informationonbiasandimpacts(inlab/operationalsettings)

oMetrics(Articles5.1.aand5.1.bGDPR)

oProtectedcategories(Articles13.1.e,14.1.eand35.9GDPR)

oImpactratespercategoryandprofile(Article5.1.dGDPR)

oAuditability(Articles5and22GDPR)

Informationonredress:

oExplainabilityprofiling(Recital71GDPR)

oRedressorreview(Articles13.2.f,14.2.gand15GDPR)

oRedressmetrics,ifapplicable

TheModelCardallowstheauditortohaveaninitialpictureofthesystem,aswellasoftheavailableinformation,andsoitiscrucialtodeterminewhatissuesneedtobefurtherexploredandinquiresystemdevelopersonhowsomeoftheinformationprovidedwasdetermined.Itisalsoausefulwaytogatherallexistingdocumentationonthesystem.

Specifically,theinspectorshouldrecordtheexistenceof:

Documents

Available

Nonavailable

N/A

DPIA/HRIA

Linktodocumentormetadata(author/s,date,etc)

Justification

Datareuse

permissions/authorizations

Linktodocuments

Justification

Datasharingagreements

Linktodocuments

Justification

Ethics/IRBapproval

Linktorequestandapprovaldocuments

Justification

DPAapproval

Linktorequestandapprovaldocuments

Justification

AIAuditing-ChecklistforAIAuditing

7

Transparencyreport

Linktodocuments

Justification

Academicpaper/s

Fullreferences

Justification

GitHub/publicrepositories

Link

Justification

3.2.Systemmap

Thesystemmapputsthealgorithmincontext,establishingtherelationshipsandinteractionsbetweenanalgorithmicmodel,atechnicalsystemandadecision-makingprocess.Afirstversioncanbedesignedbytheauditor/sfollowingtheinformationprovidedintheMC,tobecompletedandvalidatedbythedevelopmentteam/s.

Model:Themodelisthetrainedalgorithm,thatis,therulesadaptedtoaparticulardomain,whichconstitutethefoundationofthetechnologyweaudit.Modelsaresubjecttoperformanceevaluation,test,andcanbecomparedtoeachotherviabenchmarkdatasets.ThemodelisthecoreofanAIsystem,butitusuallyreliesuponotherelements(e.g.datapipelines,visualizationplatforms,...)forittowork.

System:Thesysteminthiscasereferstotheentiretechnology.ForamobilityserviceitcouldbetheappthatintegratesaMachineLearning(ML)modeltopredictdemandandadjustpricing,includingtheUI,includingforexamplethedatapipelinesandprotocols.

Process:Byprocesswedefinetheentirelifecycleofanyunitofwork,fromthemomentitentersintotheworkflowallthewaytothedecisionand,ifpartoftheprocess,theactualwaythedecisionisutilized.

Specifically,intheframeworkofaninvestigationcarriedoutbyaSupervisoryAuthorityshouldrecordtheexistenceof:

IDENTIFICATIONANDTRANSPARENCYOFTHEAI-BASEDCOMPONENT

?InventoryoftheauditedAI-basedcomponent[Article5.2]

Lookforevidencetocheck,atleast,thefollowingquestions:

oIstheAI-basedcomponentidentifiedinthedocumentationbymeansofanameorcode,identificationofversionanddateofcreation?

oDothecodeandanyadditionalfilesdefinedbytheversionincludeadigitalsignatureovertheentirepackagetoguaranteeitsintegrity?

oIsaversionhistoryoftheevolutionoftheAIcomponentavailable?

oDoeseveryversionrecordedincludetheparametersusedinthetrainingofthecomponentandeverythingthatensuresthetraceabilityoftheevolution/changesinthecomponent?

?Identificationofresponsibilities[ChapterIV]

Lookforevidencetocheck,atleast,thefollowingquestions:

oIsthereanidentificationabouttheperson(s)orinstitution(s)whomanagethelifecyclestagesoftheAI-basedcomponent?

oIsthereanidentificationabouttheassociatemanagers,andtherepresentativesofthecontrollerandoftheprocessorofeverylifecyclestage?

AIAuditing-ChecklistforAIAuditing

8

oDoeseverycontractassociatedtoeachprocessingstagespecifythedistributionofresponsibilitieswithregardtopersonaldataprotection?

oHaseverycontractassociatedtoeachprocessingstagebeenaudited?

oIstherearegistrationintheRecordsofProcessingActivitiesofthecorrespondingcontrollersandprocessors?

oIsaDataProtectionOfficerappointed?Ifnot,why?

oHastheDataProtectionOfficerbeenidentifiedandcommunicatedhis/heridentitytotherelevantSupervisoryAuthority?

?Transparency[Article5.1.aandChapterIII-Section1,Articles13.2.fand14.2.gofChapterIII-Section2].

Lookforevidencetocheck,atleast,thefollowingquestions:

oAredatasourcesdocumented?

oHasaninformationmechanismbeenimplemented?

oArethecharacteristicsofdatausedtotraintheAIcomponentidentified,documentedanddulyjustified?

oIsthemodelchosenfortheAI-basedcomponentappropriateintermsofsimplicityandintelligibility,consideringefficiency,qualityandaccuracy?

oIsthealgorithmcodeexplainabilitydocumentedinordertofacilitateitsreadability,logiccomprehensionandinternalconsistency?

oDoesthealgorithmcodedocumentationincludeinformationregardingmetadataoftheAI-basedcomponent,itslogicandtheconsequencesthatmayarisefromitsuseareaccessibletodatasubjectstogetherwiththemeansormechanismsavailabletoexercisetheirrightsincaseofobjectionstotheresults?

oDoesthealgorithmcodedocumentationincludeinformationaboutitsbehaviourregardinginputdatasets,datause,intermediatedataandoutputdata?

oCaninputdatasets,datause,intermediatedataandoutputdatabetraced?

oIncaseofanerroneousbehaviouroftheAI-basedcomponentthatcouldcauseharmtodatasubjects,havemechanismsbeenestablishedtominimisesuchdamage?,arecommunicationchannelsprovidedtofacilitatecommunicationamongallstakeholdersinvolvedintheprocess?

PURPOSEOFTHEAI-BASEDCOMPONENT

?Identificationofintendedpurposesanduses[Article5.1.b].

Lookforevidencetocheck,atleast,thefollowingquestions:

oIstheintendedpurposeoftheAI-basedcomponentdocumentedbothinquantitativeandqualitativeterms?

oIstherearelationbetweentheuseoftheAIcomponentwiththeultimatepurposeoftheprocessingandtheconditionsguaranteeingthelawfulnessofsuchprocessing?

oArethedifferentdynamics,activitiesand/orprocesseswithintheorganizationinwhichthelifecyclestageoftheauditedAIcomponentisintegratedareidentified,delimitingthecontextofuseasmuchaspossible?

oArepotentialusersoftheAI-basedcomponentcategorized?

oAreotherpossibleusesandsecondaryusersfortheAIcomponent?Havebeendescribedtogetherwiththelegalgroundsforitsuse?

?DefinitionoftheintendedcontextoftheAI-basedcomponent[Article24.1]

Lookforevidencetocheck,atleast,thefollowingquestions:

AIAuditing-ChecklistforAIAuditing

9

oArethereanylegal,social,economic,organizational,technical,scientificorothercontextsidentifiedrelatedtotheinclusionoftheAI-basedcomponentintheprocessing?Aretheydocumented?

oIstheorganisationaland/orcontractualstructurebetweenthepartiesdefined?

oArethetasksandresponsibilitiesdistributedthroughthestructure?

oArethedeterminingfactorsoftheefficacyoftheAIcomponentdescribed(includinglegalguarantees,applicablelawsandregulations,organizationalandtechnicalresources,availabledataandinternaldynamicsthatpersonaldataprocessingneedstoimplementtheauditedAI-basedcomponentwiththeappropriateguarantees)?

oAretherequirementsapplicabletohumanoperatorsinchargeofsupervisingandinterpretingtheoperationoftheAI-basedcomponentdefined?

oIsthereanyinteractionbetweentheAI-basedcomponentwithotherownorthird-partycomponents,systemsorapplications?Areresponsibilitiesformaintenance,updatingandminimisingsystemprivacyissuesdistributedanddocumented?

oArelevelsorthresholdsdefinedforinterpretingandusingtheinferenceresults?

oAredefinedthosecontextsforaprocessingwheretheAI-basedcomponentisnotrecommended(intermsofitspurposeorcharacteristics,orwhenitrepresentsaninadequatelevelofreliabilityand/oraccuracywithregardtotheotherprocessing)?

?Analysisofproportionalityandnecessity[Article35.7.b]

Lookforevidencetocheck,atleast,thefollowingquestions:

oHastheuseoftheAIcomponentbeenassessedagainstotherpossibleoptionsfromanapproachfocusingontherightsandfreedomsofdatasubjects?

oIncaseofnewdevelopments,hasacomparativeefficiencyanalysisandadequatenessofresultsoftheAI-basedcomponentbeencarriedoutagainstother,morethoroughlytestedcomponents,whichusestricterminimisationcriteriaorwhichinvolvelessrisksfortherightsandfreedomsofpersons,mostespeciallythosethatmakelessintensiveuseofspecialdatacategories?

oIncaseofaddressinganewissue,havethemotivationsandgroundsforaddressingthisissuebyusinganAI-basedcomponentbeendocumented?

oWhenaddressingawell-knownproblem,havethegroundsforchangingthepreviousoperationsystemthathaveledtoachangeinthepreviousmodeofoperationbeendocumentedincludingthedescriptionofthenewcontrolobjectivesintendedbyusingtheAIcomponentintheframeworkoftheprocedure?

oHastherisktotherightsandfreedomsofdatasubjectsintroducedbyusinganAI-basedcomponentindataprocessingbeenanalysedandmanaged?

?Definitionofthepotentialrecipientsofdata[ChapterIII;speciallyArticles13.1.eand14.1.e]

Lookforevidencetocheck,atleast,thefollowingquestions:

oIstheinformationobligationtodatasubjectsidentifiedregardingdataprocessingarisingfromtheinclusionoftheAI-basedcomponent?

oAresuchobligationsidentifiedbothfordatadirectlyobtainedfromdatasubjectsandfordataobtainedfromothersourcesofinformation?

oWhendeterminingsuchobligations:

?aretherecipientsorcategoriesofrecipientstowhomthepersonaldataprocessedbytheAI-basedcomponentwereoraretobecommunicatedidentified(includingthosewhoareinthirdcountriesorareinternationalorganizations)?

AIAuditing-ChecklistforAIAuditing

10

?aretheintentionsofthecontrolleroftransferringpersonaldatatoarecipientinathirdcountryorinternationalorganizationandtheexistenceorabsenceofaCommissiondecisiononadequacyidentified?

oAredatarecipients–includingthosefromthirdcountriesorinternationalorganizations–identifiedundertheactivityoractivitiesrecordedintheRecordsofProcessingActivitiesinwhichtherelevantAI-basedcomponentisincluded?

?Limitationofdatastorage[Article5.1.e,exceptionsArticle89.1]

Lookforevidencetocheck,atleast,thefollowingquestions:

oArethelegalgroundstostorepersonaldatausedbytheAI-basedcomponentforaperiodoftimethatexceedstheperiodestablishedforprocessingpurposesidentified(especiallywhenitisrelatedwithcompatiblepurposesorincludedinanyoftheexceptionsprovidedintheregulations)?

oIsitjustifiedtostorepersonaldataonceitisprocessedinanylifecyclestagesoftheAI-basedcomponent?

oHaveappropriatetechnicalandorganizationalmeasuresandcriteriabeendefinedtostoragepersonaldata?

oArethetimelimitsforerasureofstoredpersonaldatadefined?

oHasaconservationpolicybeendefinedtokeepasampleoftrainingdataforthepurposeofauditingtheAIcomponent?Doesitconsidertheminimumorassumablerisksforthedatasubjects?

oArethereprocedurestoverifystorageperiods,criteriaandimplementedmeasures?

oForthosecaseswhereanexcessivepatternofdatastoragehasbeendetected,eitherintermsoftimeorquantity,hasaprocedureforreviewingtheanalysisoftheneedandtheproportionalityofdatastoragebeendefined?

oHasastoragepolicyforpersonaldataincludedintheactivityrecordsoftheAI-basedcomponentandprivacystrategies(minimisation,hiding,separationorabstraction)beendefined?Hasitbeenimplementedforoperationpurposes?

?Analysisofcategoriesofdatasubjects[Article35.9]

Lookforevidencetocheck,atleast,thefollowingquestions:

oArethecategoriesofdatasubjectsaffectedbythedevelopmentoftheAIcomponentanditsuseintheframeworkoftheintendedprocessingidentified?

oAretheshort-andlong-termconsequencesthattheimplementationoftheAIcomponentmayhaveonthecategoriesofdatasubjectsidentified?

oIsthereanyprocedurethatanalysesthesocialcontextinwhichtheAIcomponentisused,collectinginformationfrompeople,groupsororganizationsaffectedbysuchAIcomponentforthepurposesofknowingtheirlevelsofsatisfaction,position,concernsanduncertaintiesregardingtheapplicationofthistechniqueforprocessingtheirdata?

BASESOFTHEAICOMPONENT

?IdentificationoftheAI-basedcomponentdevelopmentpolicy[Article24.1]

Lookforevidencetocheck,atleast,thefollowingquestions:

oDothedocumentswithdevelopmentpoliciesofproductsandsystemsconsiderthedataprotectionpolicy?

oArethepoliciesreviewedandversioncontrolled?

?InvolvementoftheDataProtectionOfficer(DPO)[Section4ofChapterIV]

Lookforevidencetocheck,atleast,thefollowingquestions:

AIAuditing-ChecklistforAIAuditing

11

oDoestheDPOhavethenecessaryprofessionalqualificationsand,particularly,thelegalandtechnicalexpertise,aswellasdataprotectionpracticeappropriatetotheproject?

oIstheDPOassistedandadvisedbyexpertsonspecificmattersrelatingtotheAIcomponent?

oArethereinternalproceduresdefinedwithintheorganisationforcorrectcommunicationbetweentheDPOsandthepeopleinchargeofthoseprojectsthatmayhaveanimpactindataprocessing,inordertoobtainassistance,particularlywhendevelopingthedataprotectionimpactassessmentforthoseprocessingactivitieswhichincludeAI-basedcomponents?

oHastheDPOplayedanactiveroleinthestagesbeingaudited?Hashisorherindependenceofjudgmentwithintheorganisationandhisorherobligationstocooperatewiththesupervisoryagenciesbeenrespectedandhisorheropinions,remarksandconsiderationstakenintoaccount?

?Adjustmentofbasictheoreticalmodels[Article5.1.a]

Lookforevidencetocheck,atleast,thefollowingquestions:

oHasananalysisbeencarriedoutregardingthetheoreticalframeworkandprevioussimilarexperienceonwhichthedevelopmentoftheAIcomponentisbased?

oHavethebasichypothesesandpremisesconsideredinordertocreateanddeveloptherelevantmodelbeenaccuratelydescribed,justifiedanddocumented?

oIsacriticalandverifiedproceduralrevisiondefinedforthereasoningarisingfromacceptanceofimportanthypothesesforthedevelopmentoftheAI-basedcomponent(i.e.examiningwhicharetheargumentsforacausalrelationshipthatmodelsanalgorithm,suchastheselectionofvariablesdefiningacertainphenomenon)?

oHaveappropriatepremisesbeenestablishedregardingthepotentialproxyvariablesinterveningintheAI-basedcomponentsaftercarryingoutacarefulanalysis?

?Appropriatenessofthemethodologicalframework[Article5.1.a]

Lookforevidencetocheck,atleast,thefollowingquestions:

oIsthereproperdocumentationthatincludethemethodologicalframeworkfordefiningthemodelandcreatingtheAIcomponentintheauditedstages,suchasthemethodsforselecting,collectingandpreparingcomponent’strainingdata,labelling,modelbuilding,usingintermediatedata,selectingthetest/validationdatasubsetormeasuringdeviationsforimprovementpurposes?

oIsthedevelopmentmodeltobeusedproperlydetermineddependingontheresultsoftheanalysisoftheproblemtobesolvedandinajustifiedway(i.e.supervised,unsupervisedorothers)?Incaseofsupervisedmodels,doesitspecifytheprocedureforsupervisingthelearningprocessofthealgorithm,thedegreeofsupervisionandthebasisforsuchsupervision?

oArethemetricsformeasuringthebehaviouroftheAIcomponentdulyselectedandmeasured?

oHasaprocedurebeenimplementedforrecordingandmonitoringthedeviationsinthebehaviouroftheAIcomponentwithrespecttothedefinedmetricsthatallowstoidentifythecircumstanceswhichmayariseinanerroneousorbiasedbehaviour?

?IdentificationofthebasicarchitectureoftheAI-basedcomponent[Article5.2]

Lookforevidencetocheck,atleast,thefollowingquestions:

oDoestheprojectanalysisphaseoftheAI-basedcomponentinclude,aspartoftherequirementcatalogue,aseriesofspecificrequirementstooguaranteeprivacyandpersonaldataprotection?

AIAuditing-ChecklistforAIAuditing

12

oIstheredocumentationwhichassurethat,whenprogrammingAI-basedcomponents,thecodingprinciples,codesandcoding,bestpracticesappliedarefollowedinordertoguaranteethatthecodeisreadable,secure,low-maintenanceandrobust?

oIsthebasicarchitectureoftheAIcomponentidentifiedanddocumented?Itmustincludeinformationonthechosenmachinelearningtechnique,thetype(s)oftestedand,whenappropriate,dismissedalgorithmsatthelearningandtrainingstages,andotherdataonthefunctioningoftherelevantcomponent,suchasthemodellossfunctionorcostfunction.

oDoesasystematicprocedurefordocumentingthecomponentimplementationprocedureexist?Isitimplemented?Itisnecessarytoguaranteeregistrationandsubsequentacquisitionofallnecessaryinformationtoidentifysuchcomponent,itselementsanditsenvironment,understandingwhatitdoesandwhyitdoesit,andenablestoverifycodequalityand