The smart way to regulate GenAI
Five ideas for what good regulation could look like
As generative AI (GenAI) continues growing in importance, governments around the world are grappling with how to regulate this powerful technology. It’s important that investors pay attention to new regulations to ensure that their companies stay on the right side of the law. Also, we need smart regulation for GenAI to safely benefit society and in order for the industry to continue its rapid growth.
Here are a few thoughts on current regulatory efforts and a few ideas for what governments could do to support GenAI in a smart way.
Note: The opinions expressed in this piece are my own and do not reflect the views of Bain & Company.
The EU AI Act: Setting the Standard
The European Union passed the first major AI law called (uncreatively) the AI Act (AIA). The act introduces a risk-based framework, classifying AI systems into four categories: unacceptable risk, high risk, limited risk, and minimal risk. Systems that fall into the “unacceptable risk” category, such as certain applications of facial recognition or biometric identification technology, will be outright banned. High risk applications such as hiring have strict requirements around transparency, data governance, and human oversight.
The penalties for not complying are extremely severe (up to 7% of annual turnover) and apply to potentially any company that does business in Europe, not just companies based there, so it’s important for companies to pay attention to these rules.
I think this is a pretty good first attempt to regulate a very complex topic. Preventing companies from wantonly using GenAI to track people’s faces without their permission is probably good. Putting restrictions around how GenAI can be used to make hiring decisions also seems good! We don’t know what biases might be in the models.
California’s AI Bill: A Cautionary Tale
While Europe moved ahead, California’s attempt at regulating AI recently was derailed after the governor vetoed it. California's proposed AI safety law aimed to hold developers accountable for damages caused by AI systems, but critics argued that the bill was too vague and overly punitive, potentially pushing AI developers out of the state. There were also questions about whether the law would hurt the user experience. One interpretation said that any time you chat with a bot, you would need to first acknowledge that you are talking to a bot even when it’s obvious.
California will likely try again, but with so many powerful AI firms in the state, particularly firms like Meta that support an open-source approach, I don’t know if they will be able to get the balance right.
Five Ideas for Better Regulation of GenAI
Here are five ideas for how we could regulate AI in a way that would be both good for business and good for broader society. In an ideal world the various AI companies would get together and self-regulate, but given the conflicting personalities and agendas, I’m skeptical that is possible. I think government intervention is probably the only way to get things done.
These are controversial! Feel free to sound off in the comments if you disagree.
1. Fingerprinting AI-produced content
One of the biggest problems with AI right now is that it’s gotten so good, that humans cannot distinguish between AI-generated content and real content. (My first grader had a whole section at their weekly assembly about this topic, so awareness is spreading.) This can cause many problems ranging from sophisticated phishing attacks to kids cheating on their homework to fake news.
If this doesn’t get solved in the medium term, a severe backlash to GenAI becomes increasingly likely where the technology is banned in some cases or severely restricted.
My preferred solution is to require all AI-generated content to include an indelible "fingerprint" that traces it back to its source. For example, in text use cases, models can slightly adjust character frequency, having 2% more p’s and 1% more w’s than normal. This is impossible for a human reader to detect even if they purport to be pretty perspicacious. (heh). Similar effects are possible within pixels of images as well.
This kind of fingerprinting could foster accountability. If malicious actors misuse GenAI, tracing content back to its origin model could help understand how they got access.
The problem with fingerprinting is that very sophisticated actors could fine tune models to remove the fingerprinting, so it would need to be embedded very carefully. I don’t want to get too technical, but this is a place where a government mandate would be helpful because all LLM companies are not going to voluntarily add fingerprinting with sufficient safeguards.
2. Require the government to use GenAI on itself
You can’t regulate what you don’t understand, and there's no better way for government workers to understand the power and limitations of GenAI than by using it themselves. Bureaucrats should be required to implement GenAI to reduce paperwork, streamline administrative tasks, and increase efficiency for the public.
For example, tax forms, visa applications, and everything that happens at the DMV could be automated using GenAI. Not only would this help government workers experience firsthand the benefits and challenges of AI but also it would also improve the public’s confidence in government.
The goal is that as government agencies become familiar with GenAI, they can make more informed regulatory decisions based on their direct experiences rather than on speculation.
3. Amnesty for past copyright infringement with clear penalties moving forward
Most, if not all the LLMs, have been trained on a vast corpus of information scraped off the internet. Some of this content was likely under copyright, which has given rise to a tidal wave of lawsuits from content creators towards the deep-pocketed tech companies.
This ongoing litigation has a chilling effect on GenAI as users are concerned about getting caught up in their own copyright battles if the model accidentally regurgitates someone else’s work. (Many companies limit the length of code snippets that can be generated by Github Co-pilot because they worry that longer passages will be verbatim from another developer who has a copyright.)
My radical suggestion is that the government should help the industry move past this quickly and avoid hundreds of millions in wasted legal fees. Governments could offer an amnesty period where companies can disclose if they trained models on private data without proper consent. This amnesty could come with moderate penalties to encourage disclosure. Moving forward, there should be strict penalties for training models on private data without consent, creating a clear legal framework for data usage in AI. This would continue to encourage lucrative deals between publishers and LLMs for future content while ending the lawsuits.
4. Lighten energy permitting to enable green data centers
GenAI models are notoriously energy-intensive. Training large models requires vast amounts of computational power, which translates into high energy consumption. And with the advent of “thinking” models like o1-preview from OpenAI, now there’s a concern that inference computing will also get much more significant.
This is counter-balanced by the rapidly increasing efficiency of GPUs, but despite that, we’re going to need more power. If you want an example, Microsoft is turning back on Three Mile Island to power its data centers.
One way to address this issue is by easing energy permitting processes for green technologies like geothermal and nuclear power.1 Data centers powered by renewable energy sources could significantly reduce the environmental impact of GenAI. By lightening the permitting process for these energy sources, governments can enable the rapid development of green data centers.
5. Checking to ensure legitimate use of models
This is probably the most controversial. My proposal is that all models (closed or open source) would have to check back with a server once a day to make sure they are authorized to use them. The idea is to prevent criminals and terrorists from having access to the most cutting-edge models on an ongoing basis.
On the one hand, you could argue that this is like penalizing car companies when someone uses their vehicle as a getaway car. I’d say it’s more like putting in a feature that allows the police to stop a car remotely if it’s involved in a crime, which doesn’t seem like a bad idea (but is probably too expensive to put in place in cars).
This feature combined with the fingerprinting would greatly reduce the number of GenAI-powered scams and keep public opinion of technology positive.
Conclusion
The regulatory landscape for generative AI is still in its early stages, but the direction it takes will have long-lasting effects on the technology, society, and the economy. I firmly believe that smart regulation can help foster growth and remove some of the obstacles to GenAI’s success. I hope some of these ideas become reality before too long. (And feel free to post comments on what I’m missing here. It’s a complicated subject.)
One future of nuclear is small reactors chained together. This is much, much safer than the large reactors we primarily use today. In a big reactor, when you “scram” the reaction by putting in the control rods, the core continues producing heat and power for many hours, which is what causes meltdowns. In a small reactor, it cools down instantly because the time to cool down has a polynomial relationship to core size. Again, you should really read Atomic Accidents.
Thanks for the comment. The EU approach on AI of regulating use cases makes sense to me. I think better to warn companies now that certain use cases (e.g., hiring) require a lot of thought vs. waiting until companies have put them in place and having a bunch of lawsuits. Also, since the EU law applies to companies that sell in Europe, it also applies to most larger US companies as well and doesn't seem to be stifling innovation. (That's not to say that all EU regulation is great, but I think in this specific area they've been pretty measured.)
On fingerprinting, I agree that technically savvy people can probably get around it. I believe, though, that people prefer to use legal commercial tools if they are easy to access. Since Spotify and Apple Music have existed, use of Bit Torrent for pirating music is way down. Some people still do it, but most people are willing to pay for the convenience. Similarly, I'd expect a relatively small number of people to invest in anti-fingerprinting technology (but I could be wrong). Also, this is why I think #5 is important, so if someone is using a model, we can check that they have a license and aren't a bad actor separately from relying on fingerprints.
Anyway, I appreciate you engaging with the post. Thanks.
These are my free form reactions as I read this article:
I would challenge this assertion "Also, we need smart regulation for GenAI to safely benefit society and in order for the industry to continue its rapid growth."
Why are regulations necessary for both? There have not been any proven benefits from EU's AI regulations.
Additionally, the EU has fallen behind in both AI development and startup success more broadly. I would argue this is at least in part due to their overregulation of industries where no proven harm has been experienced.
Just my reaction seems like you're assuming regulation is beneficial without really assessing if that assumption is grounded in reality.
On 1. I don't think it is clear that fingerprinting is possible. You make the claim that it is, however these fingerprints can be easily removed and there's no way of enforcing that individuals maintain fingerprints.