EU AI Act: The Regulatory Trap of Model Identity During Fine-Tuning
The European AI Act introduces a lifecycle management regime for high-risk systems that, in practice, threatens to become a bureaucratic nightmare. As Andrea Ferrario from the University of Zurich and ETH Zürich points out, the entire regulatory mechanism hinges on the vague concept of "substantial modification." According to Article 3(23) and Recital 128, this is the trigger that forces a provider to decide: is this still the same reliable model, or a new "legal entity" requiring full recertification?
The problem lies in the Act's lack of clear internal criteria for system identity. Regulators have effectively outsourced the boundary between a routine patch and a brand-new model to external harmonization tools. Consequently, businesses are held hostage by "diachronic uncertainty": any attempt to optimize weights or fine-tune a model on fresh data could be interpreted as a legal rupture.
For entrepreneurs, this means every continuous deployment cycle risks turning into an endless marathon of conformity assessments.
To avoid sinking into this regulatory quagmire, researchers suggest implementing a "function+" framework, which ties AI identity to specific reliability profiles. In our view, the only way to protect R&D budgets from the appetites of compliance departments is to develop standardized reporting on the system's "intended purpose" today. You will need to establish internal identity baselines to prove that algorithmic optimization is a technical routine, not the "birth" of a new product requiring a total certification reset.
Key Takeaways for Business:
- Any model fine-tuning may be interpreted by EU regulators as the creation of a new product.
- The lack of clear "identity" criteria for AI forces companies to independently prove version continuity.
- You must implement internal reporting standards for intended purpose early to avoid re-certification with every weight update.