What does acceptable risk mean in this framework?

Acceptable risk is defined as a specific failure probability (δ) set by a regulatory authority for a given operational domain (ε). The framework does not define what δ should be; instead, it provides a method to verify that a deployed system's true failure rate stays below that threshold. The choice of δ is a normative regulatory decision, not a technical one.

How does this framework verify AI systems without accessing their internals?

RoMA and gRoMA are statistical tools that compute upper bounds on a system's failure rate by analyzing its behavior on test data or in deployment. They treat the AI system as a black box, observing inputs and outputs only. This approach scales to any architecture—neural networks, transformers, or ensemble models—without requiring access to weights, code, or training data.

How does this relate to existing AI regulations like the EU AI Act?

The EU AI Act and NIST Risk Management Framework mandate that high-risk AI systems demonstrate safety before deployment, but they do not specify how to measure or verify safety quantitatively. This framework fills that gap by providing a technical method to produce auditable, legally defensible certificates that satisfy regulatory conformity assessment requirements.

← Content

AI · 8 min read · April 25, 2026

Statistical Certification Framework for AI Risk Regulation

Researchers propose a two-stage verification method to quantify acceptable risk thresholds and audit AI system failure rates without model access.

Source: arxiv/cs.AI · Natan Levy, Gadi Perl · open original ↗ ↗

Share: X LinkedIn

A statistical framework uses aviation-style certification to measure and bound AI failure rates for regulatory compliance.

— Regulators mandate AI safety but lack quantitative definitions of acceptable risk or verification methods.
— RoMA and gRoMA tools compute upper bounds on system failure probability without accessing model internals.
— Framework fixes acceptable failure probability and operational domain as normative regulatory acts.
— Approach scales to any AI architecture and produces auditable, legally defensible certificates.
— Shifts accountability to developers by requiring pre-deployment quantitative safety evidence.
— Integrates with existing EU AI Act and NIST Risk Management Framework requirements.
— Black-box verification enables oversight of opaque statistical systems resistant to white-box analysis.

Frequently asked

Acceptable risk is defined as a specific failure probability (δ) set by a regulatory authority for a given operational domain (ε). The framework does not define what δ should be; instead, it provides a method to verify that a deployed system's true failure rate stays below that threshold. The choice of δ is a normative regulatory decision, not a technical one.

#regulation #certification #risk #verification #governance #safety

Statistical Certification Framework for AI Risk Regulation

Frequently asked

Synthetic Computers Enable Agent Training at Scale

ActiNet: Self-Supervised Model Improves Wrist Activity Classification

Mixed Precision Training Stabilizes Neural ODEs