You’ve heard the headlines. The historic AI Act by EU is there to regulate the wild west of AI. But suppose the sheriffs prepared an outline of rules that the outlaws are already mastering to be broken?
There is a complicated game of regulatory cat and mouse being played behind the scenes. Let’s pull back the curtain.
The Mirage of the General Purpose AI
The Act made a special and less hard category of General Purpose AI. Consider the strong base models of such companies as OpenAI or Mistral. To begin with, the rules of these fundamental models were not very heavy.
This brings a huge grey zone. A GPAI can help a company to develop a risky tool such as an employee monitoring system. Who is responsible? Who is the developer of the foundation model? Or the company which customized it? This is the vagueness that is a blessing to corporate counsel.
“One of the legal analysts of Politico Tech observed that the greatest get-out clause in the Act is the GPAI classification. It is a nightmare of definition in favor of the largest players.”
This gradual transition into compliance with GPAI will provide them with a long runway. Accordingly, the actual enforcement may not bite years.
Rearanging the Risk, Escaping Investigation
Risk-based framework is the main body of the law. There are strict rules on high-risk AI. But what defines high-risk? Firms are becoming innovative with their responses.
AI scanning through resumes can be labeled as a productivity helper. In this case a clinical decision support system would serve as a diagnostic tool. They do not have to take on a mountain of compliance work by avoiding the high-risk label.
This isn’t just theoretical. We are witnessing it in HR technology and marketing. One of the companies, under investigation, managed to win the case, claiming that its analytics platform is limited risk. It did not give decisions but just gave insights. Their main defense against this is this semantic shift.
Innovation Sandbox Escape Hatch
Who is opposed to innovation? The sandboxes of the Act permit on-the-job testing. It sounds perfect. But it’s becoming a loophole.
Other companies are leveraging these sandboxes to implement commercial-level AI forever. They refer to it as a pilot program or beta program. This is an ingenious way of postponing complete regulatory compliance to years.
“One of the articles published in TechPolicy Press stated, warningly, that sandboxes will become permanent playgrounds where rules are not always enforced, in the name of experimentation.“
They collect user-data and optimize their product. In the meantime they are playing in a safe haven of regulation. This is a strategy delay that is a strength.
Avoiding the Blame Game: The Third-Party Liability
The contemporary IT supply chains are very complicated. A dozen vendors may provide models, data and cloud services to an AI application. This distributed reality is a challenge to the Act.
In case of failure of a high-risk AI, who bears the responsibility? The company that deployed it? Or the supplier of a defective part that was the third party to the supply? The answer is often unclear.
Take the case of a real world situation. A diagnostic tool created by an AI, used in a hospital, does not indicate a condition. The software developer is blamed by the hospital. The developer, on his part, attributes this to a biased dataset by another vendor. The victims are left in a legal perplexity by this blame game in a circle. Finally, responsibility disintegrates along the supply chain.
The Cloud Loophole at the Cross-Border
It is a globalized digitalized economy. The AI systems that have an influence on individuals in the Union are subject to the EU law. However, consider when the AI exists as a server in Texas or Singapore?
It is a gap in IT infrastructure. Whether the core AI hosted beyond the EU can expose the companies to legal liability is an issue being investigated by companies. They deliver the output and not the system to the European users.
As an example, an American social media business hosts an AI-based content moderation in a foreign country. It makes judgments about the posts of EU users. Does the company have the full impact of the Act? Already, juridical pleas are being drawn up in board rooms. The Brussels Effect is not quite infinite.
A Case Study: The HR Screening Tool
Let’s make this concrete. One of the European startups is called TalentFind and it has a strong third-party language model. They narrow it down to filter job seekers. The system is said to punish resumes which have gaps in employment.
This is probably a dangerous application under the AI Act. Nevertheless, TalentFind claims that their tool is merely a ranking assistant. According to them, the last decision in hiring is always human. Thus, they avoid the high-risk category.
Their supplier is a GPAI non EU supplier. This gives an ideal storm of loopholes. The company is not directly liable. The provider is still under complete regulation. We can do very little for the candidate the company wrongly rejected. This situation is currently unfolding.
What Does this Imply in regards to the Future of AI?
So, where does this leave us? The EU established to create a fort of regulations of trustworthy AI. Instead, they could have constructed an accidental maze. One upon which the most advanced players are getting to navigate comfortably.
The letter of the law is putting the spirit of the law to the test.
It is not simply an issue of law. It is a basic IT governance issue. Do these loopholes bring about a two tier system? The companies that possess resources are able to afford the law firms that identify the loopholes. The rest of the weight is put on smaller startups in the meantime.
The Act is an innovative introduction. However, the second thing to do is to fill these gaps. Otherwise, we are going to have an ethical AI that is a marketing tagline in the future. And the regulations, as good as they may be, only shackle those who accept them.
