How Private Governance Mitigates AI Risk

Hemphill, Thomas; Longstreet, Phil

1 Introduction: A Primer on Artificial Intelligence

Artificial intelligence (AI) has been a topic of increasing public discussion and debate over the last decade. AI is commonly referred to as a technology, a catch-all for the set of technologies and designs that make AI possible.¹ In the broadest sense, AI applies to any technique that enables computer software to mimic human intelligence.² Such AI employs logic, if-then rules, decision trees, and machine learning—the latter includes statistical techniques usually applied to large data sets.³ These data sets enable the computer software to improve at tasks through the application of learning algorithms made up of artificial neural networks and large-scale, probabilistic reasoning systems, resulting in the AI software engaging in experiential “deep learning.”⁴

There are three generally accepted definitions of the scope of AI:⁵

Artificial Narrow Intelligence (ANI): ANI (also referred to as “weak” AI) is often a part of the computational statistics area of study. (Although in its most brittle symbolic forms, it is largely divorced from statistics.) A firm utilizing ANI is using a specific AI to support a specific process with well-defined rules. In human terms, these systems have no intelligence or common sense. The ANI system is software based on computational statistics used to create models that can help human beings or other machines make decisions at ever-increasing speeds. This is an AI level that presently exists in commercial applications—including GPT-4. While these technologies are an advancement in ANI, they still lack the cognitive abilities and other “human-like” attributes required to be classified as “artificial general intelligence.”
Artificial General Intelligence (AGI): AGI (“strong” AI) is a term coined by physicist Mark Gubrud in 1997.⁶ It describes software that has cognitive abilities similar to humans. It has a “sense” of consciousness and is typically equated to human-like ability in terms of learning, thinking, and processing information for decision-making. An AGI equates to encapsulating a life of human experiences in a specific domain of knowledge and translating it into terabytes of training data.
In the case of AGI, this definition would in the recent past usually pass the Turing test, which qualifies an AI to be labeled as intelligent, in that it operates so proficiently that human observers could not distinguish its behavior from a human’s behavior. However, since finding that the Turing test essentially measures only “deception,” large language developers now utilize the General Language Understanding Evaluation (GLUE) or the Stanford Question Answering Dataset (SQuAD) as a benchmark to measure AGI.⁷ This is an AI level not yet technologically feasible, but it is anticipated to be so in the future.⁸
Artificial Super Intelligence (ASI): ASI (often referred to as “existential” in nature because of potentially cataclysmic risks to the future existence of humanity) is human-level intelligence executed a thousand times faster and viewed as decades away from arriving—if ever at all.

AI software is characterized by some economists as a “general purpose technology,”⁹ with ANI today embedded in a range of industries, firms, and products and services across the United States.¹⁰ For example, the chemical basis of photography has been replaced with digital photography.¹¹ Instead of Kodak (a traditionally chemistry-based firm) remaining a dominant player in the photography industry, today this industry is dominated by new social platform entrants, including Google and Facebook. Google and Facebook technologies utilize photo apps (and ANI) to recommend products, services, and news feeds that users might like as well as friend recommendations to introduce a person to someone based on shared affinities or backgrounds.

Kodak’s demise was not due to a digital photography start-up venture, but by the emergence of smartphones and social network firms and the underlying developments in ANI. Likewise, in the personal digital assistant (PDA) and smart appliance market space, many companies have been actively developing AI assistants. One of the most widely known is the Siri voice recognition system, introduced in October 2011 by Apple in its iPhone 4S. Over the last decade, Siri has been integrated into a variety of other Apple products, from the iPad to Apple TV to AirPods.¹² As these PDAs—also offered by Amazon, Google, Microsoft, and Google, to name a few major manufacturers—have expanded product capabilities, additional interest has risen in how these ANI-based technologies are most efficaciously used.

ANI functionality has, by and large, been a natural progression of technologies. It started with companies using basic speech recognition and voice processing for addressing entry level customer service and phone routing. This original functionality was rapidly eclipsed by ANI development with advanced machine learning and access to a wealth of information available on the internet by which to “train” or “learn” on.

For example, ChatGPT is a large language model (LLM) and generative AI, which means its algorithms can be used to create new content, including audio, code, images, text, simulations, and videos.¹³ ChatGPT has made recent headlines after the developer made it freely available to the public. Since the release of ChatGPT, the public has started testing the limits of this software by having the chatbot write essays, answer questions on college level exams, complete complex programming, and in the case of ChaosGPT (a ChatGPT derivative), even plot for the extinction of the human species (thankfully, that has not gone well).¹⁴

Google recently announced the launch of Bard, a ChatGPT rival, and Microsoft plans on including its version of generative AI in Bing.¹⁵

Though this ANI advancement is exciting and presents lucrative future opportunities, it is also not without perceived technological risk. In March 2022, Pew Research Center surveyed US adults asking them to respond to a series of specific AI applications. When asked if certain applications were a good or bad idea for society, 56% of respondents said computer chip implants in the human brain would be bad; 44% said AI in driverless passenger vehicles would be a bad idea; and 31% said AI algorithms used by social media companies to find false information on their sites would also be bad for society.¹⁶

A May 2023 survey conducted by Change Research for the Tech Oversight Project reports that 54% of Americans want Congress to pass legislation that ensures AI is regulated to protect privacy, is fairly applied, and recognizes the importance of safety while maximizing its benefits and minimizing its risks to society.¹⁷

In truth, there is evidence of actual risks from embracing AI: “automation spurred job loss, privacy violations, deepfakes, algorithmic bias due to bad data, socioeconomic inequality, market volatility, and weapons automation.”¹⁸

While technology companies are working to enhance the capabilities of ANI to more robustly and effectively address commercial opportunities, as a society we should also be looking into how we expect ANI, and more broadly AI, to operate. What boundary conditions or “guardrails” do we wish to place on AI applications? And what public and/or private governance policy framework needs to be established to protect society from misinformation, bias, and plagiarism? How can we protect society while at the same time preserving the private sector’s ability to commercially innovate societal and technological benefits in the AI market space, including in medicine, advanced manufacturing, and autonomous vehicles, among others?

Given this introduction to AI and the emerging issues in its commercial development and implementation, this paper will explore the following research question: What kind of governance framework would best manage AI risks and promote its benefits for American society?

2 Regulatory Governance Models

In the policy arena, the term governance implies regulation. It also refers to a modern, flexible understanding of institutional control systems and indirect mechanisms intended to meet societal goals and objectives.¹⁹ In general, there are two forms of governance: public governance and private governance.

Public governance (also referred to as “hard law” governance) “consists of the formal and informal rules, procedures, practices, and interactions within the State and between the State, non-state institutions and citizens, that frame the exercise of public authority and decision-making in the public interest.”²⁰ Wiener notes that government regulation, i.e., public governance, may inhibit or stimulate technological change. This relationship and outcome are a result of the regulatory choice and design of policy.²¹

Private governance is a component of “soft law” governance, a concept that includes a broad spectrum of potential governance tools, many of which can be government influenced or created. It describes the various forms of private enforcement, self-governance, self-regulation, or informal mechanisms that private individuals and organizations (as opposed to government) use to create order, facilitate exchange, and protect property rights.²² Marchant and Allenby explain that soft law approaches “include instruments or arrangements that create substantive expectations that are not directly enforceable, unlike hard law requirements such as treaties and statutes.”²³ As Gutierrez and Marchant note:

Compared to its hard law counterparts, soft law programs are more flexible and adaptable, and any organization can create or adopt a program. Once programs are created, they can be adapted to reactively or proactively address new conditions. Moreover, they are not legally tied to specific jurisdictions, so they can easily apply internationally. Soft law can serve a variety of objectives: it can complement or substitute hard law, operate as a main governance tool, or as a back-up option. For all these reasons, soft law has become the most common form of AI governance.²⁴

When applied to the commercial sector and specifically, to industries and/or fundamental, cross-industry technologies in the American regulatory state, there is a taxonomy of governance models that range from one end of the regulatory spectrum (e.g., unregulated industries governed by market forces) to the polar opposite (e.g., direct government ownership).²⁵ Figure 1, an Industry Regulatory Spectrum describes: 1) the specific form of regulation; 2) a progression from one end of the vertical spectrum (Private Autonomy) to the other (Public Involvement); and 3) an example of a corresponding industry or policy mechanism of each specific form of regulation.²⁶

Figure 1. Industry Regulatory Spectrum (Form and Example of Governance)

The term “self-regulation” in the context of private governance is a critical concept in the Industry Regulatory Spectrum. As Hemphill explains, “self-regulation exists when a firm, an industry, or the business community establishes its own standards of behavior (1) where no such statutory or regulatory requirements exist or (2) when such standards assist in complying with or exceeding statutory or regulatory requirements.”²⁷

Furthermore, self-regulation is voluntary, it covers behavior that is discretionary and usually refers to a code of conduct as the document that clarifies sanctioned policies and standards.²⁸ Self-regulation at the industry-level is defined by Gupta and Lad as “a regulatory process whereby an industry-level organization (such as a trade association) sets and enforces rules and standards, relating to the conduct of firms in the industry.”²⁹ Academic researchers recommend that the greatest potential for industry self-regulation lies with a mixed form of industry rule-making and government oversight.³⁰

Guidelines, standards, and codes of conduct are some soft law mechanisms that are embraced, but there are also “stealth” administrative rule-making activities, including guidance documents, interpretive rules, and general policy statements.³¹ Moreover, says Abbott, soft law governance approaches, such as “information disclosures, codes of conduct, and certification mechanisms,” have the innate advantage of being “adopted and revised much more rapidly than formal regulations.”³²

In contrast, an inherent weakness of soft law is that it may successfully justify bad behavior more rapidly than a formal regulatory process. Because soft law governance lacks effective enforcement mechanisms, it must rely on aligning clearly defined and well-understood incentives with stakeholders.³³ Thus, for effectively managing the risks of AI, it is critical that stakeholders consider the inclusion of implementation mechanisms and appropriate incentives.³⁴

Unlike laws and regulations, which are governed by the political jurisdiction of the government that enacts them, soft law in the form of international norms and standards potentially can exert a strong influence without raising extraterritoriality concerns.³⁵ As Peter Cihon of the Future of Humanity Institute at the University of Oxford explains: “[AI] presents novel policy challenges that require coordinated global responses. Standards, particularly those developed by existing international standards bodies, can support the global governance of AI development.”³⁶

Will all countries agree to follow these international AI standards, especially if it is not in their best economic, military, or political interests? Obviously not, and this could result in restrictions on international trade (including data transfers) between the countries abiding by such international standards versus the countries not abiding by these international standards.

Given this brief introduction to regulatory governance models, this Industry Regulatory Spectrum will be useful in analyzing recent AI public and private governance proposals. It will also help illuminate the important role that such private governance frameworks have in optimizing the trade-offs between AI risks and benefits of such innovation for American society.

3 Artificial Intelligence: Public Governance Proposals

During the final year of the Trump administration, the first major public governance AI initiative was adopted by the federal government. In February 2020, the US Department of Defense (DOD) adopted its AI Ethical Principles “designed to enhance the department’s commitment to upholding the highest ethical standards as outlined in the DOD AI Strategy.”³⁷ According to the press release, “The DOD Joint Artificial Intelligence Center will be the focal point for coordinating implementation of AI ethical principles for the department,”³⁸ and “the DOD’s AI Ethical Principles build on the US military’s existing ethics framework based on the US Constitution, Title 10 of the US Code, Law of War, existing international treaties and longstanding norms and values.”³⁹

The DOD’s AI Ethical Principles encompass five major areas:

DOD personnel will exercise appropriate levels of judgment and care, while remaining responsible for the development, deployment, and use of AI capabilities.
The Department will take deliberate steps to minimize unintended bias in AI capabilities.
The Department’s AI capabilities will be developed and deployed such that relevant personnel possess an appropriate understanding of the technology, development processes, and operational methods applicable to AI capabilities, including with transparent and auditable methodologies, data sources, and design procedure and documentation.
The Department’s AI capabilities will have explicit, well-defined uses, and the safety, security, and effectiveness of such capabilities will be subject to testing and assurance within those defined uses across their entire life-cycles.
The Department will design and engineer AI capabilities to fulfill their intended functions while possessing the ability to detect and avoid unintended consequences, and the ability to disengage or deactivate deployed systems that demonstrate unintended behavior.⁴⁰

However, since the fall of 2022, there has been a flurry of public policy activity at the national level concerning AI. In October 2022, the White House Office of Science and Technology Policy (OSTP) released the Blueprint for an AI Bill of Rights (Blueprint), a voluntary guide that identifies five principles to assist firms and industries in the design, development, and deployment of AI products and other automated systems so that such systems protect the rights of the American public.⁴¹

The Blueprint’s five principles protecting the American public consist of the following:

Safe and Effective Systems: Americans should be protected from unsafe or ineffective systems.
Algorithm Discrimination Protection: Americans should not face discrimination by algorithms, and systems should be used and designed in an equitable way.
Data Privacy: Americans should be protected from abusive data practices via built-in protections and have agency over how data about them is used.
Notice and Explanation: Americans should know that an automated system is being used and understand how and why it contributes to outcomes that impact them.
Human Alternatives, Consideration, and Fallback: Americans should be able to opt-out, where appropriate, and have access to a person who can quickly consider and remedy problems they encounter.⁴²

The Blueprint shares much in common with The Organisation for Economic Co-operation and Development’s (OECD) Recommendations on Artificial Intelligence (Recommendations).” The US government, an OECD member, specifically the US Department of State,⁴³ was a leader in the effort to establish the Recommendations, which were adopted by the OECD Council on May 22, 2019. Like the Blueprint, it includes five values-based principles:

inclusive growth, sustainable development and well-being;
human-centered values and fairness;
transparency and explainability;
robustness, security and safety;
accountability.⁴⁴

The US Department of State’s definition of AI is “a machine-based system that can, for a given set of human-defined objectives make predictions, recommendations or decisions influencing real or virtual environments,” and is included in the National Artificial Intelligence Act of 2020.⁴⁵ In addition, the State Department played a pivotal role in establishing the voluntary Global Partnership on Artificial Intelligence (GPAI), initiated in June 2020 as a multi-stakeholder effort to advance AI while recognizing the importance of human rights and democratic values in its development.⁴⁶ Furthermore, the Department of State has played a critical role in guiding GPAI and ensuring it complements the work of the OECD.⁴⁷

In January 2023, the National Institute of Standards and Technology released its Artificial Intelligence Risk Management Framework (AI RMF), a required legislative charge of the National AI Initiative Act of 2020.⁴⁸ According to the website, “The Framework is intended to be voluntary, rights-preserving, non-sector specific, and use-case agnostic, providing flexibility to organizations of all sizes and in all sectors and throughout society to implement the approaches in the Framework.”⁴⁹ The characteristics of trustworthy AI systems addressed in the AI RMF include that they be valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with their harmful biases managed.⁵⁰

When Congress passed the National AI Initiative Act in 2020, it directed the National Science Foundation to work with the White House Office of Science and Technology Policy (OSTP), to:

Establish a task force to create a roadmap for a National AI Research Resource (NAIRR)—a shared research infrastructure that would provide AI researchers and students with significantly expanded access to computational resources, high-quality data, educational tools, and user support.⁵¹

Key recommendations in the task force’s January 2023 report include first, that “the NAIRR should be established with four measurable goals in mind, namely to (1) spur innovation, (2) increase diversity of talent, (3) improve capacity, and (4) advance trustworthy AI.”⁵² Second, the NAIRR should set the standard for responsible AI research through the design and implementation of its governance processes, and implement system safeguards in accordance with established guidelines.⁵³

In April 2023, officials from the Consumer Financial Protection Bureau, Equal Employment Opportunity Commission, Federal Trade Commission, and the US Department of Justice released a “Joint Statement on Enforcement Efforts Against Discrimination and Bias In Automated Systems” (Statement).⁵⁴ These are among the federal agencies responsible for enforcing civil rights, non-discrimination, fair competition, consumer protection, and other vitally important legal protections.⁵⁵ In this Statement, these agencies reiterate their “resolve to monitor the development and use of automated systems [including AI] and promote responsible innovation,” while pledging “to vigorously use [their] collective authorities to protect individuals’ rights regardless of whether legal violations occur through traditional means or advanced technologies.”⁵⁶

In this paper, an affinity diagram is employed to help identify and clarify important AI policy principles (patterns of ideas) identified with the above five key public AI governance initiatives recently adopted (see table 1, Artificial Intelligence Policy Principles: Public Entities). Developed by Jiro Kawakita, the affinity diagram, or “KJ method,” is an analytic tool used to organize ideas or attributes with underlying similarity into subgroups with common themes. It helps to identify patterns and establish related groups that exist in qualitative datasets.⁵⁷

Table 1. Artificial Intelligence Policy Principles: Public Entities

What useful commonalities can be derived from table 1? It is readily apparent that public governance AI policy principles are focused on five categories. For instance, the category of System Fairness & Ethicality is universal among all five public entities. Following closely behind with four public entities are the categories of

Safety (OSTP, OECD, NIST, and NSF with OSTP),
Development and Testing Standards (DOD, OSTP, OECD, and NSF with OSTP),
Accessible & Trustworthy Systems (DOD, OECD, NIST, and NSF with OSTP), and
System Transparency & Documentation (DOD, OECD, NIST, and NSF with OSTP).

System Continuity has three public entities represented (DOD, NIST, and NSF with OSTP), and Privacy Standards has two public entities represented (OSTP and NIST). While privacy standards are directly attributed to only two public entities, it is safe to assume that “privacy” is implicitly present in some form among the other three public entities’ initiatives.

In Congress, there has been significant recent discussion on initiating congressional task forces or commissions on developing national rules on AI implementation. Senate Majority Leader Charles Schumer (D-NY) has released a proposal for legislation in the 118^th Congress that would include four “guardrails” for AI technology: identifying who trained the AI algorithm, the intended audience, its data sources, and response mechanisms, as well as strong, transparent ethical boundaries. However, there has been no serious legislation yet progressing toward enactment in either chamber in the first half of 2023. This is partially due to a significant knowledge gap on this subject that needs to be transcended amongst legislators.⁵⁸ There were a number of legislative proposals addressing AI introduced in the 117^th Congress, including the Algorithmic Accountability Act, the American Data Privacy and Protection Act (which included AI regulatory provisions), the Algorithmic Justice and Online Platform Transparency Act, and the Protecting Americans from Dangerous Algorithm Act, but none were enacted into law before Congress adjourned.⁵⁹

Presently, there are two ideological “camps” on Capitol Hill: one that wants to move quickly and establish national rules on AI implementation, and a second that wants to go slow, learn more about AI technology, and have an informed legislative response that does not create barriers to innovation—especially in the critical healthcare and biotechnology industries.⁶⁰ Lawmakers in both chambers are expected to reintroduce legislation in the 118^th Congress, specifically the Algorithmic Accountability Act and the Algorithmic Justice and Online Platform Transparency Act, both of which include regulatory frameworks addressing the risks associated with AI.⁶¹

4 Artificial Intelligence: Private Governance Approaches

The US private sector, specifically the digital media technology industry, has in recent years been actively involved in developing voluntary AI principles and policies to guide their companies’ business decision-making. These companies and industry associations have built on a foundation of ethical best practices developed by other non-governmental organizations and professional groups. These include the Berkman Klein Center at Harvard University,⁶² the Center for Law, Science, and Innovation at Arizona State,⁶³ the Institute of Electrical and Electronics Engineers (IEEE),⁶⁴ the International Organization for Standardization (ISO)⁶⁵ (including ISO/IEC 42001 [Standards for AI Management Systems] and ISO/IEC 23894 [AI Risk Management]), and more generally, the Association for Computing Machinery and British Standards Institution (BSI).

In October 2017, the Information Technology Industry Council (ITI), an industry association representing major tech companies such as Apple, Google (Alphabet), Microsoft, Amazon, and Meta, released the Artificial Intelligence Policy Principles (AI Policy Principles), a document addressing responsible and ethical AI development.⁶⁶ These AI Policy Principles include:

Responsible design and development
Safety and controllability
Robust and representative data (responsible use and integrity of data)
Interpretability (mitigating bias)
Cybersecurity and privacy⁶⁷

In September 2019, the US Chamber of Commerce (Chamber), an apex cross-industry association, released ten AI policy principles crafted as a private governance document in collaboration with more than 50 companies representing all sizes and sectors of the American business community (the Chamber also endorses the OECD Recommendations on AI as a set of guidelines to advance its vision).⁶⁸ These ten Principles on Artificial Intelligence include:

Recognize trustworthy AI is a partnership
Be mindful of existing rules and regulations
Adopt risk-based approaches to ai governance
Support private and public investment in ai research and development
Build an AI-ready workforce
Promote open and accessible government data
Pursue robust and flexible privacy regimes
Advance intellectual property frameworks that protect and promote innovation
Commit to cross-border data flows
Abide by international standards⁶⁹

In the digital media industry, major companies (including Alphabet, Meta, and Microsoft) have in recent years issued explicit policies and/or principles of AI to be used in their business operations. Alphabet’s Google AI Principles include:

Be socially beneficial
Avoid creating or reinforcing unfair bias
Be built and tested for safety
Be accountable to people
Incorporate privacy design principles
Uphold high standards of scientific excellence
Be made available for uses that accord with these principles⁷⁰

Meta’s Five Pillars of Responsible AI consist of

Fairness and inclusion
Robustness and safety
Transparency and control
Accountability and governance
Collaborating on the future of responsible AI⁷¹

Lastly, Microsoft has initiated its Microsoft Responsible AI Standard (v2), which consists of the following goals:

In table 2, Artificial Intelligence Policy Principles, again using an affinity diagram, an inventory of these five major firm-, industry-, and cross-industry examples of organizational AI policy principles with each AI policy principle categorized by thematic similarity across organizations (This is not a scientific sample, but for illustrative policy purposes, only).⁷³

Table 2. Artificial Intelligence Policy Principles: Firm, Industry, and Cross-Industry

What useful commonalities can be derived from table 2? It is readily apparent that private governance AI policy principles are focused on seven categories. For instance, the category of “Safety and Reliability” is universal among all five organizations. Following closely behind with four organizations are the categories of “Fairness and bias” (Alphabet, Microsoft, ITI, and the Chamber), “Privacy and security” (Alphabet, Microsoft, ITI, and the Chamber), “Responsible R&D” (Alphabet, Meta, ITI, and the Chamber), and “Transparency and accessibility” (Alphabet, Meta, Microsoft, and the Chamber). Lastly, are the two categories of “Accountability” (Alphabet, Meta, and Microsoft) and “Societal improvement” (Alphabet, ITI, and the Chamber), both of which include three organizations.

While Apple and Amazon are not represented in table 2 (as neither firm has made publicly available an explicit firm-level AI policy principles document), it should be noted that both firms are members of the Information Technology Information Council, whose “AI Policy Principles” include fairness and bias, safety and reliability, privacy and security, “responsible R&D, and societal improvement, five of the seven significant categories identified.⁷⁴

5 Artificial Intelligence and Meta-Regulation

From the literature of science and technology studies (STS), insightful and valuable concepts can be drawn upon to support this paper’s policy analysis. These include an emphasis on the plurality of knowledge and assumptions that inform collective action concerning decisions about social control (i.e., regulation) and assessment of an emerging technology (e.g., AI) in American society.

For example, one STS concept, the Collingridge dilemma, creates a methodological quandary for technological assessment when considering the responsible governance of AI technological innovation.⁷⁵ According to Collingridge, “Attempting to control a technology is difficult … because during its early stages, when it can be controlled, not enough can be known about its harmful social consequences to warrant controlling its development; but by the time these consequences are apparent, control has become costly and slow.”⁷⁶

Related to the Collingridge Dilemma is the Pacing Problem found in exercising technology assessment activities and designing and implementing a regulatory framework. The pacing problem, according to Thierer, “Refers to the quickening pace of technological developments and the inability of governments to keep up with those changes.”⁷⁷ The pacing problem—at its core a knowledge deficiency problem—is based on the “law of disruption,” which Downes describes as how “technology changes exponentially, but social, economic, and legal systems change incrementally.”⁷⁸ Marchant explains the pacing problem in greater detail:

In contrast to this accelerating pace of technology, the legal frameworks that society relies on to regulate and manage emerging technologies have not evolved as rapidly, fueling concerns about a growing gap between the rate of technological change and management of that change through legal mechanisms.⁷⁹

Further, there are three recognized technological innovation governance approaches in the STS literature, all of which have relevance to the research question posed in this paper: (1) the precautionary principle, (2) responsible innovation, and (3) permissionless innovation.

First, emerging at end of the 20^th century, the precautionary principle (PP) was defined (and endorsed) by the United Nations Educational, Scientific and Cultural Organization’s (UNESCO) World Commission on the Ethics of Scientific Knowledge and Technology (COMEST), as “when human activities may lead to morally unacceptable harm that is scientifically plausible but uncertain, actions shall be taken to avoid or diminish that harm.”⁸⁰ The precautionary principle is often used by policymakers to introduce government regulation where there is the possibility of “serious harm to human health or the environment”⁸¹ resulting from the implementation of a certain policy decision, but conclusive evidence of the adverse effects of the decision is not yet available.

Second, responsible innovation was formally defined by Von Schomberg as:

… a transparent, interactive process (emphasis added) by which societal actors and innovators become mutually responsive to each other with a view to the (ethical) acceptability, sustainability and societal desirability of the innovation process and its marketable products (in order to allow a proper embedding of scientific and technological advances in our society).⁸²

Of more recent vintage, and offered from a policy process perspective, Valdivia and Guston recognize that responsible innovation

… considers innovation inherent to democratic life and recognizes the role of innovation in the social order and prosperity. It also recognizes that at any point in time, innovation and society can evolve down several paths and the path forward is to have to some extent open to collective choice. What RI [responsible innovation] pursues is a governance of innovation where that choice is more consonant with democratic principles. … RI … appreciates the power of free markets in organizing innovation and realizing social expectations but … [is also] self-conscious about the social costs that markets do not internalize.⁸³

Third, Thierer explains the notion of permissionless innovation:

… experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if any develop, can be addressed later.⁸⁴

Thierer also notes that, unlike the precautionary principle, permissionless innovation switches the burden of proof to opponents of technological change by asserting five fundamental attributes associated with it:

Technological innovation is the single most important determinant of long-term human well-being.
There is real value to learning through continued trial-and-error experimentation, resiliency, and ongoing adaptation to technological change.
Constraints on new innovation should be the last resort, not the first. Innovation should be innocent until proven guilty.
When regulatory interventions are considered, policy should be based on evidence of concrete potential harm and not fear of worst-case hypotheticals.

Finally, where policy interventions are deemed needed, flexible, bottom-up solutions of an ex-post (responsive) nature are almost always preferable to rigid, top-down controls of an ex-ante (anticipatory nature).⁸⁵

The concept of the nonmarket issue life cycle (life cycle) is a useful analytic concept to identify where a public issue is located in the public policy environment. The life cycle consists of a public issue progressing through five stages of maturity:

issue identification
interest group formation
legislation
administration
enforcement⁸⁶

As Baron notes: “[A]s the impact [of the issue] increases, [firm] management’s range of discretion addressing the issue correspondingly decreases.”⁸⁷ In the case of AI, as noted by the recent activities in the US public policy arena, it is apparent that some form of federal legislation (stage 3 in the nonmarket issue life cycle) is poised to emerge in the 118^th Congress addressing a policy direction for a regulatory framework of some form of social control of ANI technology.

Likewise, given the issues associated with the pacing problem and the limits of human knowledge (e.g., concerning what is known and unknown), the question of how to effectively and efficiently regulate AI to socially control this emerging technology while capturing its evolutionary benefits is the “existential” challenge before American society. The precautionary principle has the inherent problem of attempting to pre-emptively eliminate all or most hypothetical risk from emerging technologies—a potentially significant barrier to encouraging technological innovation for the benefit of American society. Likewise, permissionless innovation, as Thierer notes, only favors public regulatory approaches to a new technological innovation, such as AI, based on the actual evidence of potential harm to society.⁸⁸

The permissionless innovation governance approach, as seen in the recent congressional fact-finding inquiries and legislative proposals (also based on evidence of actual “harms” from existing ANI activities), is no longer considered a serious public policy consideration for ANI regulatory frameworks.⁸⁹ Even Thierer, who is a longtime advocate, recognizes the importance of soft law complementing hard law approaches to AI risk management in order to address actual evidence of ANI harms.⁹⁰ However, the responsible innovation approach, shares conceptually more in common with permissionless innovation than the precautionary principle.⁹¹ It is congruent with present AI policy efforts being considered by Congress and the executive branch, reflecting what Valdivia and Guston characterize as “collective choice” along with “democratic principles.”⁹²

There is a body of public thought and policy tools available to help US policymakers and regulators effectively and efficiently design an AI policy path forward. Figure II illustrates the Regulatory Pyramid, which offers a broader policy-focused approach to addressing the national AI regulatory/governance challenge. This is in contrast to the specific focus of regulatory forms listed in the Industry Regulatory Spectrum (figure I). Within the Regulatory Spectrum, the category of market forces is no longer being considered a stand-alone form of social control over AI in the US.

Private AI governance in the form of self-regulation has been developed and used by US-based industry associations and private firms over the last few years. Public regulation is now being proactively discussed in the 118^th Congress. However, given the issues related to pacing and dynamically emerging ANI technology, as well as the importance of responsible innovation as an effective conceptual approach to the governance of AI, meta-regulation offers the most realistic and practical approach to governing the future commercial development and implementation of AI.

Figure 2. Regulatory Pyramid: Free Market Regulation

Governmental Command-and-Control Regulation

Source: Ian I. Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate, (Oxford University Press: Oxford, 1992).

Meta-regulation, as defined broadly by Grabowski, includes “activities occurring in a wider regulatory space, under the auspices of a variety of institutions, including the state, the private sector, and public interest groups.”⁹³ Meta-regulation, says Coglianese and Mendelson, specifically “refers to ways that outside regulators deliberately—rather than unintentionally—seek to induce targets to develop their own internal, self-regulatory responses to public problems.”⁹⁴ As Taylor notes in relation to his research on AI, “It is useful not to speak about a ‘policy’ but about the ‘policy space’ Otherwise, there is risk that the basket of policy alternatives and tools is conceived too narrowly.”⁹⁵ Thus, public regulation (hard law) is complemented by self-regulation (soft law), resulting in meta-regultion policy “space” being the most effective and efficient governance framework designed for AI technology commercialization.

Within the Industry Regulatory Spectrum (figure 1), the specific forms of regulation qualifying as meta-regulation include self-regulation plus non-governmental participation, self-regulation plus governmental participation, self-regulation plus governmental policing of deceptive practices, and self-regulation plus an autonomous government agency with rule-making authority. In addition, in the case of ANI, there are also be ex post statutes that can be enforced against specific illegal business behavior.⁹⁶ These industry regulatory policy approaches are later referred to in the subsequent recommended legislative policy proposal.

An example of industry meta-regulation is the Financial Industry Regulatory Authority (FINRA), a government-authorized, not-for-profit organization funded through membership fees and fines that oversees US broker-dealers.⁹⁷

FINRA undertakes these efforts to protect the investing public against fraud and bad industry practices.⁹⁸ Its board of governors is composed of 22 industry and public members.⁹⁹ FINRA qualifies as a “self-regulation plus governmental participation” form of meta-regulation, which includes its quasi–law enforcement authority to sanction (through enforcing rules) and to audit firms (for compliance with its rules). However, there is criticism of FINRA’s performance and the meta-regulatory approach in general. “Due process, transparency and regulatory-review protections normally associated with regulators are not present, and its arbitration process is flawed. Reforms are necessary,” writes David Burton, a senior fellow in economic policy at the Heritage Foundation, in a policy paper focused on reforming FINRA.¹⁰⁰

The essential characteristics of any regulatory or governance approach—including meta-regulation—involves four distinct components useful for AI policy analysis: target, regulator, command, and consequences.¹⁰¹ The target “is the entity to which the regulation applies and upon whom the consequences are imposed.”¹⁰² Traditionally, this entity would be an organization, such as a firm, an individual, government, rot non-profit. However, in the case of ANI, the targets are the applications of the general purpose technology, eg., employment hiring, credit approval, etc.

The regulator “is the entity that creates and enforces the rule or regulation,” including governmental and non-governmental standard-setting bodies or industry trade associations.¹⁰³ Within a meta-regulation ANI governance approach, regulators include federal agencies, industry standard-setting associations, individual corporations, and relevant non-governmental stakeholders.

The command “refers to what the regulator instructs the target to do or to refrain from doing. Commands can either specify means or ends.”¹⁰⁴ Means commands—technology design, or specification standards—mandate or prohibit the taking of a specific action. Ends commands, called performance standards, “do not require any particular means, but instead direct the target to achieve (or avoid) a specified outcome related to the regulatory goals.”¹⁰⁵

The federal public governance AI environment consists of a range of voluntary and advisory AI guidance documents (including “means” and “ends” recommendations) for firms and industries issued by the Department of State, Department of Defense, White House Office of Science and Technology, National Institute of Standards and Technology, National Science Foundation, and the National Telecommunications and Information Administration. Likewise, US.-based private governance approaches developing and implementing AI policy principles reveal examples of such statements at various organizational levels, including the firm (Alphabet, Meta, and Microsoft), industry (ITI), and cross-industry (US Chamber of Commerce).

What scope of commands is missing? In general, a lack of a coherent, national AI policy framework that both recognizes the limits of public regulation and the necessity for private governance and industry self-regulation, and that ensures the product development and innovative commercial implementation of AI in the future.

As mentioned earlier, there are two camps on the subject of AI: one wanting immediate legislation that establishes national rules for AI implementation, and a second wanting a go slow approach, learning more about AI technology, and eventually offering an informed legislative response that doesn’t inhibit technological innovation and commercial success. However, there is a growing body of knowledge available on existing ANI performance in the commercial sector of the economy, and an opportunity for congressional leadership to establish a meta-regulatory outline of an ANI framework for future commercial implementation.

Proposed congressional legislation on AI development and implementation could include the following provisions:

Formally endorse a framework of AI policy principles. There has been a convergence among stakeholders to AI development and implementation on what constitutes a body of core governance principles. The White House’s OSTP has identified the following five AI principles: “safe and effective systems, algorithim discrimination protection, data privacy, notice and explanation, and human alternatives, consideration, and fallback.”¹⁰⁶ Likewise, this paper uncovered seven such AI categories of principles from private sector, self-regulation efforts: fairness and bias, safety and reliability, accountability, privacy and security, responsible R&D, transparency and accountability, and societal improvement. Moreover, a 2019 global survey of organizations analyzing 84 AI ethical frameworks found results converging around the following five principles: transparency, justice and fairness, non-malficence, responsibility, and privacy.¹⁰⁷ At this time, Congress is the ideal democratic, deliberative body to identify, designate and endorse a core framework of distinct, responsible AI principles useful as a definitive baseline departure point for future AI meta-regulation policy efforts. Over time, and through accumulated learning experience, such a framework can be legislatively amended.This formal recognition is not only helpful for national meta-regulatory institutional efforts, but will also be a departure point for similar developments in standards harmonization in the international environment – including future updates to the OECD’s Recommendations on Artificial Intelligence, for example. This meta-regulation provision is indicative of the regulatory form, self-regulation plus governmental participation, found in the Industry Regulatory Spectrum.
Expand the role of the NAIAC to encourage widespread responsible adoption of AI across the federal government, as well as in the non-governmental and private sectors. To some extent, the NIST has been playing a lead role for many years, culminating in its important release of the AI RMF early in 2023. Those efforts, and the NIST’s ongoing AI Playbook process, should constitute the heart of the National Artificial Intelligence Advisory Committee (NAIAC).As others have recommended, NIST could also work with NTIA (as they are both located within the US Department of Commerce) in a more formal way to actively engage relevant stakeholders to develop contextually tailored, voluntary “best practices.”¹⁰⁸ In a formal, institutional setting, however, federal government efforts to identify and develop AI guidelines have generally been single-agency oriented—although it has included an example of multi-agency projects as legislatively required in the National AI Initiative Act of 2020.In April 2022, as required by the National AI Initiative Act of 2020 (Initiative), the NAIAC was officially launched.¹⁰⁹ Congress has directed the NAIAC to provide:

Recommendations on topics including the current state of US AI competitiveness; progress in implementing the Initiative; the state of science around AI; issues related to AI workforce; how to leverage Initiative resources; the need to update the Initiative; the balance of activities and funding across the Initiative; the adequacy of the National AI R&D strategic plan; management, coordination, and activities of the Initiative; adequacy of addressing societal issues; opportunities for international cooperation; issues related to accountability and legal rights; and how AI can enhance opportunities for diverse geographic regions.¹¹⁰

By explicitly amending the National AI Initiative Act of 2022, the role of the NAIAC could be formally expanded to encourage and monitor widespread responsible adoption of AI across the federal government, as well as in the non-governmental and private sectors. The NAIAC will be charged with coordinating, encouraging and facilitating emerging governance ideas and meta-regulation best practices found among AI practitioners—an apex role best suited for the public sector.

An annual “state-of-the technology” report should be provided to Congress by the NAIAC (in contrast to the triennial report required under the existing legislation),¹¹¹ thus allowing for a timely legislative response needed to address any public regulatory issues arising. This meta-regulation provision is indicative of the regulatory forms of self-regulation plus non-governmental participation and self-regulation plus governmental participation found in the Industry Regulatory Spectrum.

Moreover, the use of a sunset law, also known as a sunset provision, is a law that automatically terminates an agency, a law, or a government program that fails to procure legislature approval beyond a fixed period of time.¹¹² This could be a legal instrument for updating AI legislation every three years. An example of a sunset law is H.R. 302 (P.L. 115-254), the FAA Reauthorization Act of 2018, which was signed into law on October 5, 2018. It extended the FAA’s funding and authorities through fiscal year 2023.¹¹³
Designate industry–level standards–setting organizations and affected stakeholder representation as active participants in the AI development and implementation committee. The self-regulation component of non-governmental and private governance is required for effective and efficient meta-regulation to flourish in the public and private sectors, and consequently across American society. The inclusion of representative, industry-level, standards-setting organizations is an essential component for this committee’s long-term success. The makeup of this committee would be critical, as it will need to keep abreast of developments in a general-purpose technology (i.e., being used and developed across a wide-spectrum of industries), which by its very nature necessitates that the technology be malleable and adapt to each industry.As this ANI technology is often a public facing technology, the market demand for adaptation and iterative improvements would exert forces on AI technology development used in the various industries. These factors combine to demonstrate that a committee designated to oversee this technology must be flexible, adaptable, and ready to quickly shift directions as the technology is rapidly developed in unexpected directions.This dynamic pace suggests that a traditional legislative approach, which is often marred with partisan divides and dysfunction, is inadequate to address ANI regulation and that the aforementioned multi-industry and stakeholder representative committee will be best equipped to keep pace with the technology utilizing self-regulation. This meta-regulation provision is indicative of both the regulatory forms, self-regulation plus non-governmental participation and self-regulation plus governmental participation, found in the Industry Regulatory Spectrum.
Encourage soft law approaches when considering a meta-regulatory approach. By its nature, soft law is necessary for rapid adaptation to regulatory responses to an emerging technology, in this case, ANI.¹¹⁴ Eggers, Turley, and Kishnani offer a set of five regulatory approaches to assist AI regulators in efforts to best meet the temporal needs of ANI, the immediate subject of American societal concerns. All of these approaches can incorporate decentralized soft law into an ANI meta-regulatory framework:
1. Adaptive regulation: Shift from “regulate and forget” to a responsive, iterative approach.
2. Regulatory sandboxes: Prototype and test new approaches by creating institutional sandboxes and accelerative mechanisms.
3. Outcome-based regulation: Focus on results and performances rather than form.
4. Risk-weighted regulation: Move from one-size-fits-all regulation to a data-driven, segmented approach.
5. Collaborative regulation: Align regulation nationally and internationally by engaging a broader set of players across the ecosystem.¹¹⁵
Thierer identifies a list of soft law, market-driven, private sector activities useful for ANI governance consideration, including:

Insurance markets, which serve as risk calibrators and correctional mechanisms; social norms and reputational effects, especially the growing importance of reputational feedback mechanisms; societal pressure and advocacy from media, academic institutions, nonprofit advocacy groups, and the general public, all of which can put pressure on technology developers; and ongoing innovation and competition within markets.¹¹⁶ This meta-regulation provision is indicative of the regulatory form, self-regulation plus non-governmental participation found in the Industry Regulatory Spectrum.

The body of existing federal and state statutes useful for ANI risk mitigation has not been fully explored and identified. This would be a useful project to assist stakeholders (exercised through a comprehensive committee disclosure strategy) in knowing what legal recourse may be available to them should they want to address a grievance. This meta-regulation provision is indicative of the regulatory form, self-regulation plus an autonomous government agency with rule-making authority, found in the Industry Regulatory Spectrum.
Investigate and identify the inventory of existing federal ex-post hard law available for enforcing ANI violations and assisting in mitigating risk. Thierer has offered an excellent introduction to an existing hard law complement to soft law meta-regulatory approaches, including federal and state consumer protection statutes. These may include, for example, statutes enforced by the Federal Trade Commission’s Division of Advertising Practices; federal product recall authority enforced by the Consumer Product Safety Commission; automated vehicle policy and regulations as enforced by the National Highway Transportation and Safety Administration; small, unmanned aircraft systems (i.e., drones), enforced by the Federal Aviation Administration; mobile phone privacy disclosures and mobile applications for children, enforced by the Federal Communications Commission; and 3D-printed medical devices, enforced by the Food and Drug Administration; common law authority (i.e., civil remedies enforced through product liability law); property and contract law; insurance and other accident-compensation mechanisms; and other existing statutes and agencies—even the Civil Rights Act, for legally enforcing potential algorithmic bias and discrimination.¹¹⁷

6 Discussion

In the introduction to the paper, the following research question was posed: What kind of governance framework would best manage AI risks and promote its benefits for American society? The answer: Embrace a flexible and adaptable meta-regulation approach for addressing social control of a still emerging technology, while encouraging the potential commercial benefits accruing from future AI technological innovation through private governance initiatives.

American society has an important stake in the ongoing development and implementation of ANI across industries. The limitations of public regulation and the pacing problem of this technology make it vital that regulating authority be able to pivot with innovations, which legislatures don’t do well.

The US government and AI stakeholders can learn valuable lessons for meta-regulation from the development and implementation experiences of the AI Act.

The overall intention of the AI Act was to balance AI regulation with safety considerations, the rights of citizens, business interests, and technological innovation.¹¹⁸ However, its regulatory approach has numerous flaws. First, the issue of model transparency and evaluation arises when considering how, for example, ChatGPT is used in the case medical applications versus for entertainment purposes. Second, when it comes to dataset construction and training methods, for example, the AI Act does not consider these downstream uses of models. Third, the AI Act does not currently address the important issue of model access, which allows AI researchers to assess and evaluate these AI models.¹¹⁹

In addition, legal transparency clarification and data set, model, and process documentation are missing. Access to systems to design safeguards and conduct evaluations, whether in an open or closed source model, is still needed by researchers, and standards to evaluate bias in language models, for example, are not included in the AI Act.¹²⁰

Congress should recognize that private governance is a major component of addressing basic issues related to the future of AI development and implementation across industries. Each industry will have unique issues related to commercializing ANI, and therefore will be in the ideal position to know the best practices to be instantiated in their standard-setting processes. What is crucial for American consumers is that there are effective, operational policies delineating ANI practices and performance, and clear, consumer accessible information disclosure on how well the firm is abiding by these industry ANI best practices.

In many cases, private governance, market-driven mechanisms will significantly assist in the meta-regulation of firm-level ANI, including company AI insurance liability, reputational effects generated by real-time social media coverage of firm behavior, and relevant stakeholder inquiries into firm behavior, resulting in positive or negative general media impacts on company financial performance.

One research approach to further effectively embracing private governance is “polycentric governance,” a theoretical construct developed by Nobel Prize in Economic Science winner Elinor Ostrom.¹²¹ In a democratic society, there are various tasks and governance actions (made by different, yet interdependent, “decision centers”) that are undertaken by public and non-public entities. Polycentric governance is defined as “a system in which many diverse centers of partial authority collectively cover the full range of governance tasks.”¹²²

Researchers have begun to use this polycentric governance tool to better understand these decision process relationships and compare and evaluate these governance arrangements on a range of performance criteria. Particularly when it involves meta-regulation, this theoretical approach could be a valuable tool for evaluating the efficacy of the role of non-governmental institutions in governance models—and in this case, AI governance models.

In conclusion, private governance is the critical component of mitigating AI technological risk to firms, industries, consumers, and American society. The challenge remains, however, whether there is a corpus of American technological leadership that recognizes, invests, and continues to maintain (and improve) an effective, functioning regulatory tension. This regulatory tension, between government-mandated social control and responsible innovation of ANI based in industry self-regulation, market forces, and firm adherence to best practices, will provide for the still-to-come potential benefits accruing to American society from this revolutionary technology.

How Private Governance Mitigates AI Risk

Executive Summary

Resources

Focuses

1 Introduction: A Primer on Artificial Intelligence

2 Regulatory Governance Models

3 Artificial Intelligence: Public Governance Proposals

4 Artificial Intelligence: Private Governance Approaches

5 Artificial Intelligence and Meta-Regulation

6 Discussion

Executive Summary

Resources

Related Publications

Related News

Related Blogs

Focuses

1 Introduction: A Primer on Artificial Intelligence

2 Regulatory Governance Models

3 Artificial Intelligence: Public Governance Proposals

4 Artificial Intelligence: Private Governance Approaches

5 Artificial Intelligence and Meta-Regulation

6 Discussion