Regulating AI is tricky. Credit: NCSL

Someone (Else) Should Regulate AI

Kim Bellard
5 min readSep 30, 2024

There’s some good news/bad news about AI regulation. The good news is that this past weekend California Governor Gavin Newsome vetoed the controversial S.B. 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. The bad news is that he vetoed S.B. 1047.

Or maybe it’s the other way around.

Honestly, I’m not sure how I should feel about the veto. Smarter, more knowledgeable people than me had lined up on both sides. No legislation is ever perfect, of course, and it’s never possible to fully anticipate the consequence of most new laws, but a variety of polls indicate that most Americans support some regulation of AI.

“American voters are saying loud and clear that they don’t want to see AI fall into the wrong hands and expect tech companies to be responsible for what their products create,” said Daniel Colson, Executive Director of the Artificial Intelligence Policy Institute. “Voters are concerned about AI advancement — but not about the U.S falling behind China; they are concerned about how powerful it can become, how quickly it can do so and how many people have access to it.”

Credit: AIPI

S.B. 1047 would have, among other things, required safety testing of large AI models before their public release, given the state the right to sue AI companies for damages caused by their AI, and mandated a “kill switch” in case of catastrophic outcomes. Critics claimed it was too vague, only applied to large models, and, of course, would stifle innovation.

In his statement explaining his veto, Governor Newsome pointed out the unequal treatment of the largest models and “smaller, specialized” models, while stressing that action is needed and that California should lead the way. He pointed out that California has already taken some action on AI, such as for deepfakes, and punted the issue back to the legislature, while promising to work with AI experts on improved legislation/regulation.

The bill’s author, Senator Scott Wiener, expressed his disappointment: “This veto is a setback for everyone who believes in oversight of massive corporations that are making critical decisions that affect the safety and welfare of the public and the future of the planet.” Moreover, he added: “This veto leaves us with the troubling reality that companies aiming to create an extremely powerful technology face no binding restrictions from U.S. policymakers, particularly given Congress’s continuing paralysis around regulating the tech industry in any meaningful way.”

Indeed, as on most tech issues, Congress has been largely missing in action. “States and local governments are trying to step in and address the obvious harms of A.I. technology, and it’s sad the federal government is stumped in regulating it,” Patrick Hall, an assistant professor of information systems at Georgetown University, told The New York Times. “The American public has become a giant experimental population for the largest and richest companies in world.”

I don’t know why we’d expect any more from Congress; it’s never gotten its hands around the harms caused by Facebook, Twitter, or Instagram, and the only reason it took any action against TikTok was because of its Chinese parent company. It may take Chinese AI threatening American for Congress to act.

As was true with privacy, the European Union was quicker to take action, agreeing on regulationthe A.I. Act — last year, after debating it some three years. That being said, the Act won’t be in effect until August 2025, and the details are still being drafted. Meanwhile, big tech companies — mostly American — are working to weaken it.

So it goes.

Summary of EU AI Act Credit: Analytics Creator

In the absence of new legislation, not all is lost. For example, Owen J. Daniels and Jack Corrigan, writing in FedScoop, outline three approaches regulators should be taking:

First, agencies must begin to understand the landscape of AI risks and harm in their regulatory jurisdictions. Collecting data on AI incidents — where AI has unintentionally or maliciously harmed individuals, property, critical infrastructure, or other entities — would be a good starting point.

Second, agencies must prepare their workforces to capitalize on AI and recognize its strengths and weaknesses. Developing AI literacy among senior leaders and staff can help improve understanding and more measured assessments of where AI can appropriately serve as a useful tool.

Third and finally, agencies must develop smart, agile approaches to public-private cooperation. Private companies are valuable sources of knowledge and expertise in AI, and can help agencies understand the latest, cutting-edge advancements. Corporate expertise may help regulators overcome knowledge deficiencies in the short term and develop regulations that allow the private sector to innovate quickly within safe bounds.

Similarly, Matt Keating and Malcolm Harkins, writing in CyberScoop, warn: “Most existing tech stacks are not equipped for AI security, nor do current compliance programs sufficiently address AI models or procurement processes. In short, traditional cybersecurity practices will need to be revisited and refreshed.” They urge that AI developers build with security best practices in mind, and that organizations using AI “should adopt and utilize a collection of controls, ranging from AI risk and vulnerability assessments to red-teaming AI models, to help identify, characterize, and measure risk.”

In the absence of state or federal legislation, we can’t just throw our hands up and do nothing. AI is evolving much too fast.

There are some things that I’d hope we can agree on. For example, our images, voices, and other personal characteristics shouldn’t be allowed to be used/altered by AI. We should know what information is original and what is AI-generated/altered. AI shouldn’t be used to ferret out even more of our personal information. We should be careful about to whom we sell/license it to, and we should be hardening all of our technology against the AI-driven cyberattacks that will, inevitably, come. We need to determine who is responsible, how, for which harms.

And we need to have a serious discussion about who benefits from AI. If AI is used to make a handful of rich people even richer, while costing millions of people jobs, that is a societal problem that we cannot just ignore — and must not allow.

Regulating a new technology, especially a world-changing one like AI, is tricky. Do it too soon/too harsh, and it can deter innovation, especially while other jurisdictions don’t impose them. Do it too late/too lightly, and, well, you get social media.

There’s something important we all can do. When voting this fall, and in every other election, we should be asking ourselves: is this candidate someone who understands the potentials and perils of AI and is prepared to get us ready, or is it someone who will just try to ignore them?

--

--

Kim Bellard
Kim Bellard

Written by Kim Bellard

Curious about many things, some of which I write about — usually health care, innovation, technology, or public policy. Never stop asking “why” or “why not”!

No responses yet