Uncertainty. It's ep...ic!


 

In risk management, the terms "risk" and "uncertainty" are often used as synonyms, but they are not the same. While the EU AI Act provides a formal definition of risk based on probability (P) and severity (S), it does not answer the question of how to assess these two components under conditions of uncertainty.

The following two principal types of uncertainty are typically distinguished:

• Epistemic uncertainty is a knowledge deficit. It is the uncertainty that can, in principle, be reduced with more data or better models.
• Aleatoric uncertainty is inherent randomness. It is the irreducible unpredictability of a system or phenomenon, no matter how much knowledge is gathered.

In the context of AI technologies, a risk assessment (R = P x S) is always subject to both types. The probability (P) of a harm is epistemically uncertain (as we cannot foresee all deployment contexts) and aleatorically uncertain (as the interplay of various factors is random). Likewise, determining the severity (S) of a harm is subject to epistemic uncertainty and influenced by aleatoric conditions in any single case.

Therefore, risk is not the same as uncertainty, but it is always shaped by it. Since the EU AI Act has a limited tolerance for uncertainty, the critical question for compliance is not if uncertainty exists, but how to measure it and determine what level is legally accepted. While this may seem philosophical, the answer is essential for effective compliance.