Europe AI & Data Rules Hub
< All Topics
Print

Setting Up an Ethical Review Board for AI

Posted
ByIakov Go

Establishing a formal mechanism for ethical oversight of artificial intelligence systems is rapidly transitioning from a voluntary best practice to a core component of risk management and regulatory compliance within the European Union. As organizations across sectors—from healthcare and finance to manufacturing and public administration—deploy increasingly complex AI models, the need for a structured, documented, and multidisciplinary review process becomes critical. This is not merely a matter of corporate social responsibility; it is a prerequisite for operational resilience and legal certainty under the EU AI Act and overlapping frameworks like the GDPR. An Ethical Review Board (ERB), sometimes referred to as an AI Ethics Committee or an Algorithmic Oversight Body, serves as the institutional anchor for this oversight. It provides a forum for deliberation, a mechanism for scrutiny, and a source of guidance that bridges the gap between technical development teams, legal counsel, senior management, and external stakeholders. This article provides a practical guide to establishing such a board, focusing on the charter, membership composition, review criteria, and decision workflow, all situated within the evolving European regulatory landscape.

Defining the Mandate and Scope

The first and most critical step in forming an ERB is to define its mandate through a formal charter. This document is the board’s constitution; it outlines its purpose, authority, responsibilities, and limitations. A common pitfall is creating a board with an ambiguous or purely advisory role, which can lead to its recommendations being ignored when they conflict with commercial pressures or project timelines. To be effective, the charter must be integrated into the organization’s governance structure, granting the ERB the necessary authority to influence or, in high-risk cases, halt a project. The charter should explicitly state whether the board’s purview covers all AI systems developed or deployed by the organization, or if it is limited to specific domains, such as systems classified as ‘high-risk’ under the AI Act, or those involving sensitive data like biometrics or health information.

Alignment with the EU AI Act

The EU AI Act provides a powerful lens through which to define the ERB’s scope. The Act introduces a risk-based classification system: unacceptable risk (prohibited), high-risk (subject to strict obligations), limited risk (transparency obligations), and minimal risk (no specific obligations). An ERB’s charter should map its review activities directly to these categories. For instance, the board could be mandated to conduct a mandatory, in-depth review of all systems classified as ‘high-risk’ before they are placed on the market or put into service. This review would assess compliance with the AI Act’s requirements for risk management systems, data governance, technical documentation, record-keeping, transparency, human oversight, and robustness. The charter should also clarify the board’s role in assessing systems that, while not strictly ‘high-risk’ under the Act, might still pose significant ethical or societal challenges, such as emotion recognition systems in the workplace or predictive policing tools, which are subject to specific prohibitions and restrictions.

Legal Definition (EU AI Act): A ‘high-risk AI system’ is defined in Annex III of the Regulation. It includes AI used in critical areas such as biometric identification, critical infrastructure management, education, employment, essential services (finance, healthcare), law enforcement, migration, and administration of justice. Organizations must conduct a conformity assessment before placing such systems on the market.

Beyond the AI Act, the charter must acknowledge the overlapping jurisdiction of the General Data Protection Regulation (GDPR), particularly Article 22, which grants individuals the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. An ERB is an ideal body to assess whether a proposed AI system falls under Article 22 and, if so, to ensure that appropriate safeguards—such as meaningful information about the logic involved and the right to human intervention—are engineered into the system. The charter should therefore establish the ERB as a cross-functional body capable of assessing compliance not just with the AI Act, but with the full spectrum of relevant EU and national legislation.

Distinguishing Between EU-Level Regulations and National Implementations

While the AI Act and GDPR are directly applicable EU regulations, their application is not entirely uniform. Member States are required to designate national competent authorities for oversight and enforcement. For example, a national law will designate the specific body that serves as the market surveillance authority for AI systems. An organization’s ERB must be aware of these national nuances. The charter should task the board with monitoring guidance and interpretations issued by national authorities in the jurisdictions where the organization operates. For instance, the approach to supervising AI in healthcare might differ slightly between Germany’s Federal Institute for Drugs and Medical Devices (BfArM) and France’s Agence nationale de la sécurité du système d’information (ANSSI). The ERB’s mandate should include ensuring that the organization’s internal governance procedures are adaptable to these national-level variations.

Composition and Membership: The Principle of Multidisciplinarity

The effectiveness of an ERB is directly proportional to the diversity and expertise of its members. A board composed solely of engineers or solely of lawyers will lack the holistic perspective necessary to identify and mitigate complex risks. The core principle must be multidisciplinarity, bringing together technical, legal, ethical, and domain-specific expertise. The size of the board can vary depending on the organization’s scale and the complexity of its AI portfolio, but a typical composition might include 5 to 11 voting members. It is also advisable to include non-voting observers, such as representatives from product management or senior leadership, to ensure a flow of information without compromising the board’s independent deliberation.

Core Competencies and Roles

The essential competencies for an ERB can be broken down into several key areas:

  • Technical Expertise: At least one member must possess deep knowledge of machine learning, data science, and software engineering. This individual is responsible for assessing the technical feasibility of safeguards, the quality of training data, the potential for model drift, and the robustness of the system’s architecture. They translate abstract ethical principles into concrete technical requirements.
  • Legal and Regulatory Expertise: A member with a background in data protection, technology law, or regulatory compliance is non-negotiable. This person interprets the obligations under the AI Act, GDPR, and other relevant legislation, advising on the organization’s legal exposure and the necessary documentation for conformity assessments.
  • Domain Expertise: The board’s composition must reflect the organization’s primary field. If the company develops AI for medical diagnostics, a clinician or biomedical researcher is essential. For a bank deploying credit scoring models, an expert in financial services and consumer protection law is needed. This ensures that the ethical review is grounded in the real-world context and potential impact of the system.
  • Internal Ethics or Compliance Representative: This member understands the organization’s internal code of conduct, existing compliance procedures, and corporate culture. They act as a bridge between the ERB’s deliberations and the company’s broader governance framework.
  • External Ethicist or Social Scientist: Including an external member with expertise in ethics, sociology, or philosophy provides a crucial independent perspective. This helps to challenge internal biases and ensures that the review considers broader societal impacts beyond immediate business or legal concerns. The inclusion of external members is also a key requirement for certain high-risk AI systems under the AI Act’s provisions on human oversight.

Independence and Conflict of Interest

To maintain credibility and effectiveness, ERB members must be independent and free from conflicts of interest. An individual who is directly responsible for the commercial success of a project under review cannot be an impartial judge of its risks. The charter must include a formal conflict of interest policy, requiring members to disclose any potential conflicts at the outset of each review and to recuse themselves from deliberations where necessary. For external members, this may involve contractual clauses that prevent them from having a financial stake in the approval of a specific project. The goal is to foster an environment of psychological safety, where members feel empowered to voice dissenting opinions without fear of professional reprisal.

Appointment, Terms, and Training

Members should be appointed through a formal process, typically involving senior leadership and potentially an external advisory council. Terms of service should be fixed (e.g., two or three years) with the possibility of renewal to ensure a balance between continuity and fresh perspectives. Crucially, all members must receive ongoing training. The regulatory landscape for AI is dynamic; the AI Act itself will be implemented over several years, and national guidance will evolve. The organization should invest in regular training sessions for the ERB on new legal developments, emerging technical risks (e.g., prompt injection attacks on LLMs), and evolving best practices in ethical review methodologies.

The Review Criteria: A Framework for Scrutiny

An ERB cannot operate on intuition. It requires a structured framework of review criteria to ensure that its assessments are consistent, comprehensive, and auditable. This framework should be documented in the ERB’s charter or in a separate operating procedure. The criteria should be designed to probe the system’s entire lifecycle, from conception and data collection to deployment and decommissioning. A robust framework will integrate the specific requirements of the EU AI Act with broader ethical principles.

Legality and Fundamental Rights

The first layer of review is a fundamental rights and legality assessment. The ERB must ask: Is this system legal under EU and national law? This involves a check against prohibited practices listed in the AI Act, such as subliminal techniques, untargeted scraping of facial images, or social scoring by public authorities. It also involves a deep dive into data protection compliance. The board should scrutinize the legal basis for processing personal data (especially special category data under GDPR Article 9), verify that data minimization and purpose limitation principles are respected, and assess the system’s impact on rights such as non-discrimination and privacy. For systems that could significantly impact individuals, a full Data Protection Impact Assessment (DPIA) should be a prerequisite for the ERB’s review.

Proportionality and Necessity

A core ethical and legal test is that of proportionality. The ERB must evaluate whether the AI system is a necessary and proportionate tool to achieve the stated objective. This involves asking critical questions: Is a non-AI solution feasible? Is the level of intrusion into individual rights justified by the expected benefit? For example, using a complex biometric surveillance system to monitor employee productivity would likely be deemed disproportionate, whereas using it for physical security in a high-risk facility might be justifiable, subject to strict safeguards. This criterion forces a mature consideration of whether technology is being used because it is effective, or simply because it is novel.

Fairness and Non-Discrimination

Bias in AI systems is a significant risk. The ERB’s review criteria must include a thorough assessment of fairness. This is not just a technical check for statistical parity; it is a socio-technical evaluation. The board should examine:

  • Training Data: Is the data representative of the populations the system will affect? Does it contain historical biases that could be learned and amplified by the model?
  • Model Design: Are there features that act as proxies for sensitive attributes like race, gender, or age? Have fairness metrics been used during development to mitigate disparate impacts?
  • Operational Context: How will the system’s outputs be used? Could a seemingly neutral output be applied in a discriminatory way by human operators?

The ERB should require developers to present evidence of their bias mitigation strategies and the results of any fairness audits. Interpretation: Under the AI Act, high-risk systems that process biometric data for the purpose of categorization are subject to stricter requirements, and the ERB must ensure these are met.

Transparency and Explainability

Transparency is a cornerstone of trustworthy AI. The ERB must assess whether the system’s operation is sufficiently transparent for all relevant stakeholders. This includes:

  • For Users: Can a human operator understand the system’s capabilities and limitations? Is it clear when they are interacting with an AI system?
  • For Affected Individuals: Are they informed that a decision affecting them is being made by an AI? Can they understand the logic behind a decision in a way that allows them to exercise their rights (e.g., the right to an explanation under GDPR)?
  • For the Organization: Is the system’s behavior sufficiently documented and auditable for internal oversight and regulatory inspection?

The review should consider the trade-offs between transparency (e.g., using simpler, more interpretable models) and performance, and push for a solution that provides the necessary level of explainability for the context.

Robustness, Safety, and Human Oversight

AI systems must be reliable and safe. The ERB’s criteria must include an assessment of the system’s robustness against adversarial attacks, data drift, and unexpected inputs. It should ask for evidence of stress testing and red-teaming. Furthermore, for high-risk systems, the AI Act mandates appropriate levels of human oversight. The ERB is the perfect body to scrutinize these “human-in-the-loop” mechanisms. It must evaluate whether the human oversight is meaningful. For example, is the human operator given enough time and relevant information to override the AI’s decision? Is the operator sufficiently trained to understand the AI’s output? A system where a human is required to approve an AI recommendation in under three seconds is not subject to meaningful human oversight; it is a rubber-stamping exercise. The ERB must ensure that the design of human oversight is robust enough to prevent or mitigate potential harm.

The Decision Workflow: From Submission to Resolution

The process by which an AI project comes before the ERB, is reviewed, and receives a decision is as important as the review itself. A clear, well-documented workflow ensures efficiency, consistency, and accountability. The workflow should be integrated into the organization’s project management and software development lifecycle (SDLC) to ensure that ethical review is not an afterthought but a standard checkpoint.

Step 1: Project Submission and Scoping

The process begins when a project team submits a project for review. This submission should be facilitated through a standardized intake form or “Ethical Review Dossier.” This dossier is a critical piece of documentation. It should require the project team to provide, at a minimum:

  • A clear description of the AI system’s intended purpose and the context of its use.
  • A self-assessment of the system’s risk classification under the AI Act.
  • A description of the data used for training, validation, and testing, including its provenance and any known biases.
  • The results of any preliminary testing on performance, fairness, and robustness.
  • A draft of the technical documentation required by the AI Act.
  • An assessment of the potential impact on fundamental rights and a description of the proposed mitigation measures.

Upon submission, the ERB chair or a designated reviewer performs an initial triage. Low-risk projects or minor updates to existing systems might be fast-tracked or reviewed via an expedited procedure, while high-risk or novel projects are scheduled for a full board review.

Step 2: The Deliberation Process

For projects requiring a full review, the ERB convenes a dedicated meeting. The workflow for this meeting should be structured:

  1. Presentation: The project team presents their dossier, explaining the system’s function, benefits, and the ethical considerations they have already addressed.
  2. Q&A: The ERB members question the project team, probing assumptions, challenging evidence, and seeking clarification on technical and legal points.
  3. Deliberation: The project team withdraws, and the ERB deliberates in camera. They systematically work through the review criteria (legality, fairness, transparency, etc.), using the dossier as evidence.
  4. Decision Formulation: The board agrees on a decision and, if necessary, a set of conditions or recommendations.

This deliberation must be meticulously minuted. The minutes should capture the key arguments, the rationale for the decision, and any specific conditions imposed. These minutes are a vital governance record, providing evidence of due diligence in the event of a regulatory audit or a public inquiry.

Step 3: The Spectrum of Decisions

The ERB’s decision should not be a simple binary ‘yes’ or ‘no’. A well-functioning board will use a spectrum of decisions that reflect the nuances of the review. Possible outcomes include:

  • Unconditional Approval: The project is fully compliant and poses no significant ethical concerns. It can proceed as planned.
  • Conditional Approval: This is the most common outcome for complex projects. The project is approved to proceed, but only on the condition that the project team implements specific, time-bound mitigation measures. For example, “Approval is conditional on the implementation of a counterfactual fairness intervention and the publication of a transparency report before launch.”
  • Request for Further Information: The board cannot make a decision because the dossier is insufficient. The project is paused until the team provides the required information or analysis.
  • Rejection: The project is not approved. This decision should be reserved for cases where the risks are unmitigable or the system’s purpose is deemed unethical or illegal. The rationale for rejection must be exceptionally well-documented.
  • Referral: In some cases, the ERB may determine that the project’s risks fall outside its own expertise or mandate and may refer it to a higher authority, such as the executive board, or a specialized external body.

Step 4: Follow-up and Monitoring

The ERB’s responsibility does not end with the decision. For conditionally approved projects, the workflow must include a follow-up mechanism. The project team must return to the board to demonstrate that the required conditions have been met before the system can be deployed. Post-deployment, the ERB should establish a monitoring protocol. High-risk systems, in particular, are subject to a continuous risk management cycle under the AI Act. The ERB should schedule periodic reviews (e.g., annually or upon significant changes) to assess whether the system’s real-world performance aligns with the pre-deployment assessment, whether new risks have emerged, and whether the system remains

Table of Contents
Go to Top