New AI regulations are coming: Is your organization ready?
In recent weeks, regulators and lawmakers around the world have asserted that new laws will soon shape how companies use artificial intelligence. In late March, the five largest federal financial regulators in the United States released a request for information on how banks use AI, signalling that new guidance is coming for the finance sector. A few weeks later, the U.S. Federal Trade Commission released an uncharacteristically bold set of guidelines on “truth, fairness, and equity” in AI — defining unfairness, and therefore the illegal use of AI, broadly as any act that “causes more harm than good.”
On April 21, the European Commission released its own proposal for the regulation of AI, which includes fines of up to 6% of a company’s annual revenues for noncompliance — fines higher than the historic penalties of up to 4% of global turnover that can be levied under the General Data Protection Regulation, or GDPR.
For companies adopting AI, the dilemma is clear: On the one hand, evolving regulatory frameworks on AI will significantly affect their ability to use the technology; on the other, with new laws and proposals still evolving, it can seem like it’s not yet clear what companies can and should do. But three central trends unite nearly all current and proposed laws on AI, which means there are concrete actions companies can undertake to ensure their systems don’t run afoul of any existing or future laws and regulations.
The first is the requirement to conduct assessments of AI risks and to document how such risks have been minimized or eliminated. A host of regulatory frameworks refer to these types of risk assessments as “algorithmic impact assessments” — sometimes called “IA for AI” — which have become increasingly popular across a range of AI and data protection frameworks.
Indeed, some of these types of requirements are already in place, such as Virginia’s Consumer Data Protection Act. Signed into law in March, it requires assessments for certain types of high-risk algorithms. In the EU, the GDPR currently requires similar impact assessments for high-risk processing of personal data.
Read Also: Fintechs in Nigeria: The role of regulation
Impact assessments also form a central part of the EU’S new proposal on AI regulation, which requires an eight-part technical document for high-risk AI systems that outlines “the foreseeable unintended outcomes and sources of risks” of each AI system, along with a risk-management plan designed to address such risks. The EU proposal aligns with the impact assessments required in a bill proposed in 2019 in both chambers of the U.S. Congress called the Algorithmic Accountability Act. That bill mandated similar reviews of the costs and benefits of AI systems related to AI risks. Democratic Sen. Ron Wyden of Oregon, one of the bills co-sponsors, reportedly plans to reintroduce it.
All such assessments have a two-part structure in common: mandating a clear description of the risks generated by each AI system and clear descriptions of how each individual risk has been addressed. Ensuring that AI documentation exists and captures each requirement for AI systems is a clear way to ensure compliance with new and evolving laws.
The second trend is accountability and independence, which, at a high level, requires both that each AI system be tested for risks and that the data scientists, lawyers and others evaluating the AI have different incentives than those of the front-line data scientists. In some cases, this simply means that AI be tested and validated by different technical personnel than those who originally developed it; in other cases (especially higher-risk systems), organizations may seek to hire outside experts for these assessments, to demonstrate full accountability and independence. (Full disclosure: bnh.ai, the law firm that I run, is frequently asked to perform this role.) Either way, ensuring that clear processes create independence between the developers and those evaluating the systems for risk is a central component of nearly all new regulatory frameworks on AI.
The FTC has been vocal on this point for years. In its April 19 guidelines, it recommended that companies “embrace” accountability and independence and commended the use of transparency frameworks, independent standards, independent audits and opening data or source code to outside inspection. (This recommendation echoed similar points on accountability the agency made publicly in April of last year.)
The last trend is the need for continuous review of AI systems, even after impact assessments and independent reviews have taken place. This makes sense. Because AI systems are brittle and subject to high rates of failure, AI risks inevitably grow and change over time — meaning that AI risks are never fully mitigated.
For this reason, lawmakers and regulators are sending the message that risk management is a continual process. In the eight-part documentation template for AI systems in the new EU proposal, an entire section is devoted to describing “the system in place to evaluate the AI system performance in the postmarket phase” — in other words, how the AI will be continuously monitored once it’s deployed.
For companies adopting AI, this means that auditing and review of AI should occur regularly, ideally in a structured process that ensures the highest-risk deployments are monitored the most thoroughly. Including details about this process in documentation — who performs the review, on what timeline, and the parties responsible — is a central aspect of complying with these new regulations.
Will regulators converge on other approaches to managing AI risks outside of these three trends? Surely.
There are many ways to regulate AI systems, from explainability requirements for complex algorithms to strict limitations for how certain AI systems can be deployed — for example, the bans on facial recognition that have been proposed in various jurisdictions throughout the world.
Indeed, lawmakers and regulators have still not even arrived at a broad consensus on what “AI” is. Some definitions, for example, are tailored so narrowly that they apply only to sophisticated uses of machine learning, which are relatively new to the commercial world; other definitions (such as the one in the recent EU proposal) appear to cover nearly any software system involved in decision-making, which would apply to systems that have been in place for decades. Diverging definitions of artificial intelligence are simply one among many signs that we are still in the early stages of global efforts to regulate AI.
But even in these early days, the ways that governments are approaching the issue of AI risk have clear similarities, meaning the standards for regulating AI are already becoming clear. So organizations adopting AI right now — and those seeking to ensure their existing AI remains compliant — need not wait to start preparing.