EU AI Act faces identity crisis: When is an updated AI still the same system?

The EU Artificial Intelligence Act (AIA) imposes lifecycle obligations on high-risk AI systems—ex-ante conformity assessment, post-market monitoring, and re-assessment after 'substantial modification.' But as Ferrario argues, these rules presuppose a clear answer to an unresolved question: when does an updated AI system count as the same system over time? The paper, accepted at ACM FAccT '26, shows that the AIA provides no internal, auditable criterion for synchronic identity—deciding whether two AI systems at the same time should be treated identically for procurement, liability, or market surveillance. Without this, regulators and providers lack a principled way to enforce lifecycle governance consistently.

Ferrario introduces the 'function+' framework of artifact identity, which individuates AI systems by their intended function combined with context-sensitive criteria of appropriate functioning—captured as 'AI trustworthiness.' Function+ supplies a synchronic identity test anchored in trustworthiness profiles and levels, making identity decisions inspectable. The paper provides a correspondence map between AIA lifecycle obligations and function+ components, plus a minimal decision flow for audit and dispute contexts. Key recommendations: more precise, testable reporting of intended purpose, and standardized, auditable trustworthiness reporting that supports comparability over time and across deployments—a practical step toward closing a regulatory blind spot.