Ahead of the upcoming AI Safety Summit to be held at the UK’s famous Bletchley Park in November, I wanted to outline three areas that I would like to see the summit address, to help simplify the complex AI regulatory landscape.
When we start any conversation about the risks and potential use cases for an artificial intelligence (AI) or machine learning (ML) technology, we must be able to answer three key questions:
- What AI models are being used?
- What data is being fed into them?
- What outputs do they produce?
I discussed these questions on the recent episode of Netskope’s Security Visionaries podcast with Yihua Liao, Head of Netskope AI Labs, and Suzanne Oliver, Director of IP Strategy at Scintilla. We had a lively conversation about transparency, data, responsibility and regulation in this complex AI landscape.
Transparency and models
Before we talk about AI, we first need to be clear about what we’re discussing—starting with the differentiation between technologies, specifically artificial intelligence (AI) and machine learning (ML). As early media coverage fixated on ChatGPT, we have found ourselves in a confusing landscape where many people misconstrue ChatGPT with artificial intelligence or machine learning in much the same way we conflate Google and search engines.
Understanding the model being used is an essential element because of its potential to take the exact same data set, and draw wildly different conclusions based upon its biases—conscious or unconscious—that are ingrained from the outset. More importantly, without a clear understanding of the model, a business cannot determine if outputs from the platform fit within its own risk and ethics criteria.
When considering regulations around specific models, there is currently little to influence the process or algorithms themselves, but we should be mindful of regulations around the eventual outputs. For example, an HR tool that uses machine learning to screen job applications could put a company at risk from discrimination legislation without strict efforts to mitigate bias. Similarly, an ML tool that can identify images of passports, drivers licences, and credit cards will be subject to personal data regulations.
With so much variation in AI and ML models, it raises the question of whether regulators could help standardise the risk parameters for these models to give industry greater reassurance when onboarding a solution. For example, in the automotive industry we have clearly defined levels of autonomy for driverless vehicles, enabling car companies to innovate within a comfortable set of parameters. As AI sits on such a broad spectrum, from ML data processing to generative AI, there is perhaps an interesting opportunity for regulators to bring clarity to what is a complex sector.
AI data supply chain
Before regulators leap into action on how they could control the development and use of AI, we should first take a look at how existing regulations could be applied to AI.
AI and machine learning tools are highly reliant on a reliable data supply chain and IT and security leaders are already working to ensure compliance to a raft of data legislation—and swimming in acronyms like HIPAA, GLBA, COPPA, CCPA and GDPR. Ever since the introduction of GDPR in 2018, CISOs and IT leaders have been required to make clear what data they collect, process, and store, and for what purpose, with stipulations over individual users’ rights to control the use of their data. Leaders have rightly been concerned about how deploying AI and ML tools would impact their ability to meet these existing regulatory requirements.
Businesses are asking both regulators and AI companies for the same thing—clarity. Clarity on how existing regulations will be applied to AI tools, and—if that changes—how it impacts their status as data processors. AI companies should make every effort to be transparent with customers through partnership agreements and terms of service on how their tools comply with existing regulations particularly in relation to the data collected, how it’s stored or processed, and the mechanisms for customers to restrict these actions.
In lieu of regulators bringing clarity to the AI landscape, it falls on technology leaders to promote self-regulation and ethical AI practices within their organisations to ensure that the outputs of AI technologies are safe and beneficial for society. Many companies have already published their own guiding principles for responsible AI use, and they share many consistent themes of accountability, reliability, fairness, transparency, privacy, and security.
If they aren’t already, technology leaders should be acting now to evaluate the implications of incorporating AI into their products. Companies should be setting up internal governance committees to discuss AI ethics, to evaluate tools and their applications within their own businesses, review processes, and discuss strategy in advance of more widespread regulation.
Although it is apparently not a focus for the upcoming AI Safety Summit, the establishment of a regulatory body (similar to the International Atomic Energy Agency (IAEA) or European Medicines Agency (EMA)) would go a long way to setting a global framework for regulating AI. This body could help bring standardisation and set the criteria for continuous assessments of tools to ensure they adhere to these standards as models learn and grow.
An intelligent future
AI has the potential to transform our lives but it cannot be at the expense of the fundamental principles on data rights and privacy that we have today. Regulators need to find a delicate balance that protects individuals without stifling innovation.
After government and industry leaders meet at Bletchley Park, the first outcome I would like to see is a greater emphasis placed on bringing transparency to the current AI landscape. Rather than relying on goodwill and voluntary codes of conduct, AI companies should be required to be transparent over the models and technologies behind their tools. This will allow businesses and customers to make more informed decisions in their adoption and give them greater autonomy over their data.