What is the scope of application of this code?
The code is intended to apply to generative AI systems that have advanced capabilities enabling them to be adapted for a wide variety of uses in different contexts, including uses for which they were not specifically trained. Systems such as ChatGPT, Midjourney, Bard, and Llama are good examples of the types of systems that should be subject to the measures outlined in this code. However, AI systems across the economy are increasingly incorporating generative capabilities, and not all of these implementations present similar risks. It is important to note that generative tools designed to perform specific, low-risk functions, such as grammar correction, are not considered in-scope, although some of the identified measures could be applied by firms seeking a greater level of assurance.
How does this code relate to the Artificial Intelligence and Data Act and subsequent regulations?
The Artificial Intelligence and Data Act (AIDA) is still being considered by Parliament and is not expected to receive Royal Assent before 2024. The code is meant to provide a bridge to regulations under AIDA by providing a clear set of guidelines that firms can implement immediately. Regulations pertaining to general‑purpose systems under AIDA are expected to address similar issues as those identified in this voluntary code, and will be subject to broad public consultation and review before being brought into force.
How are developers and managers of advanced generative AI systems intended to work together to ensure the safety of systems?
The Human Oversight and Monitoring principle contains two symmetric measures intended to enable effective incident management, reporting, and risk mitigation. Managers of systems are intended to monitor for incidents of harmful uses or impacts, for example an AI system providing inaccurate health advice. Depending on the nature of the occurrence, system managers may be in a position to adjust their mitigation measures in response. If the incident may require intervention by the developer, the system manager is expected to report the incident to the developer. The developer would then track such reported incidents and provide updates to the system as needed to ensure the effectiveness of risk mitigation measures. Note that cybersecurity risks and incidents are treated separately under the code and should be addressed per the measure identified under the Validity and Robustness principle.
Who was consulted during the development of the code and what feedback was received?
Innovation, Science and Economic Development Canada conducted a public consultation on the code from early August to mid‑September 2023. The Government of Canada received recommendations and feedback from 92 respondents, including members of the Advisory Council on Artificial Intelligence, businesses of all sizes, academics, civil society organizations, and members of the public. Recommendations and feedback were provided via written submissions, stakeholder roundtable discussions, and bilateral meetings with Government representatives organized upon request from stakeholders. A summary of the views shared can be found in the Government's What We Heard Report for this consultation.