Just as GDPR has spurred a wave of US state privacy laws, EU AI law catalyzes state-level AI regulations across the United States. Kevin M. Alvero, Chief Compliance Officer at Integral Ad Science, analyzes the common threads of emerging state AI laws and explains why organizations need a comprehensive governance framework that addresses both regulatory compliance and stakeholder expectations in this rapidly evolving environment.
As GDPR Less than a decade later, corporate leaders should hope that the EU AI law, officially enacted in August, paves the way for us to adopt their state. ai law. Certainly, the ball is already rolling.
Although some policies regarding the use of AI in government processes have already been implemented, 20 US states They have AI laws at various approval stages that fall within the scope of private companies.
State AI Law
Yuta
The Utah State Artificial Intelligence Policy Act was enacted on May 1, 2024. The state’s consumer protection laws claim that it applies to generated AI applications in the same way as other business functions.
There are several aspects to this Law It offers compliance A leader with clues on how to approach the task of preparing an organization for new AI methods. The first relates to the use case. Utah’s law focuses on generating AI, “defined as the following artificial systems: (i) being trained with data; (ii) interacting with people using text, audio, or visual communications; (iii) producing ungenerated outputs similar to human-generated outputs.
Utah’s law was the first in the US to impose disclosure requirements on private companies that use generated AI when interacting with consumers.
Similar to the relationship between transparency and disclosure, and the use cases and regulatory requirements, there are two common threads found in existing and new US AI laws, both of which are also seen in EU AI laws.
Colorado
Colorado’s Artificial Intelligence Act provides requirements for deploying high-risk AI systems with AI developers to use reasonable care to protect consumers risk of algorithmic discrimination, which it defines as “any condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under the laws of This state or federal law. “Like Utah law, Colorado AI Law Although it is specific to use cases, its focus is on “high risk” AI systems.
Colorado law defines AI as having a material legal or equally significant effect on any provision or denial of any consumer or cost or condition (f) (g) Insurance.
The EU AI Act also defines high-risk AI systems; Long list We consider the risk of business environments or AI techniques. Understanding whether your organization’s AI usage falls into a high-risk category is one of the most important aspects of assessing regulatory risk. Similarly, compliance leaders should be familiar with all high-risk AI definitions and whether they are related to third-party relationships, as they may be related to transparency requirements.
Also, because Colorado’s law focuses on avoiding unfair treatment, it selects AI that could unfairly treat individuals or groups of individuals in information about those known to the AI system. This requires FED data that can identify (directly or indirectly) the AI system. In other words, such systems must also comply with the applicable ones. Data Privacy law.
High-risk AI applications and the likelihood of unfair treatment (IE bias) is the connection between two more important points for compliance leaders and the data privacy laws of AI systems that process personal information.
California
California has passed many AI-related laws. One of the most important bills signed to the law requires that AI disclose that content created by the generated AI system is being generated. Beyond that, AB-2013 Generic AI providers need to clarify the source, usage, and key characteristics (date, copyright status) of the data used to train the model. Other laws provide consumer protection for AI output, such as robocall, deep fake elections, deep fake porn, and the use of actors’ voices and similarities.
What do state laws have in common?
State-level AI laws enacted so far include:
Disclosure of AI-generated content
Transparency in AI use cases
Transparency of data sources
Special requirements for high-risk applications
Controls to mitigate inequality/bias in AI models
Privacy requirements for AI processing personal data
California, Colorado and Utah were early leaders to enact the law, but the bill is pending in more than 20 other states that limit the way the private sector uses AI. The laws vary, but in many cases it includes the following provisions:
AI Governance Program and Documentation: Policy, procedure, or robustness Governance or maintaining risk management programs and internal assessments and mitigation documents.
Rating: Risk assessmentimpact assessment or rights assessment.
Training: Training Staff on AI governance practices and procedures.
Responsible Individuals: AI Governance Officer or other qualified and responsible individual.
General note: Post an announcement of your AI Governance Policy or general disclosure of system information.
Description/Incident Report: Provide decisions that facilitate AI explanations, or disclose the AI incident to affected consumers or governments. Unlike, both are post-requirements to notify an individual or government of the actions of the covered system.
Labeling/Notification: Label your consumer AI systems or provide prepaid notifications regarding their use.
Provider documentation: Downstream documents, such as specific disclosures from developers to deployers.
Registration: License, active future future, or registration with a government agency.
Third Party Reviews: External review of AI systems or governance programs such as assessments and audits.
Opt out/Appeal: It provides a mechanism to respect or appeal to other opt-out options, as an alternative to AI-enhanced decisions.
Non-discrimination: Avoid or mitigate the discriminatory effects of AI systems or obligations of care, and protect individuals from the risk of algorithmic discrimination.
Policies, procedures, and best practices
These regulations represent clear cases of new regulatory risks for businesses using AI and operating in the US. In addition to the obvious risk that companies violating the law may face potential sanctions and fines, organizations are even stronger in their compliance to avoid exposure to reputational risks and other forms of guilt from other forms of crime. In short, there is a lot to AI regulatory compliance, not only mitigating legal risks. Therefore, private companies subject to AI regulations must ensure they are in compliance with the law and must also be able to demonstrate compliance with key stakeholders that require or require the guarantee.
AI certification programs are a great way to accomplish these two broad tasks. For example, the ISO 42001 certification process helps businesses ensure that AI-related business practices are up-to-date with key standards, regulatory and governance frameworks, demonstrating this to customers, potential customers, or the public. However, not all organizations can commit to ISO certification and required resources/continuous maintenance.
Whether or not they pursue certification, we ensure that every organization using AI has the steps to take to (basically) coordinate itself with key AI governance standards and frameworks, and at the same time, they are prepared to demonstrate compliance with US AI laws.
AI Policy
Companies should consider creating a set of guidelines, rules, and regulations that govern the use of AI technology across their organizations. AI policies are designed to allow AI to be used in a responsible and ethical way and to align with legal requirements, organizational values and ethical standards. Some of the key areas that AI policies need to cover include:
Business justification for AI use.
People who can use AI (access).
Permission/Prohibited activities.
Head of AI (accountability, roles, and responsibilities).
Ethical guidelines and principles (fairness, non-bias, transparency).
Data privacy, security, and intellectual property.
Processes and procedures to make employees aware of AI risks and company policies.
AI Development/Deployment Policy
This document sets out the expected norms for the development and/or procurement of AI technologies and their implementation for their use. It should include the AI model training process, conducting pre-deployment tests, sign-off/approval, deployment procedures, and continuous output (including human monitoring) and model retraining.
AI Inventory
Every organization using AI needs a comprehensive list of tools, techniques, managers, third parties, and more involved in the development, deployment and monitoring of all AI systems across the organization. This document is more technical than AI policies and may contain AI model types, platforms, data sources, outputs, monitoring tools, key points of interaction, and other details about building an AI system. The AI Systems documentation is a fundamental component of the main AI standards and the overall governance framework and is important for compliance with transparency requirements with the law.
Use AI definitions
Once AI systems are documented, they can confirm and express what the AI organization’s use is and categorize them based on applicable laws that are important for current and new law compliance.
Disclosure
Organizations using AI technology must disclose the nature and purpose of their use to the affected parties. This can include those who interact directly with AI output, those who make the consequential decisions by AI, and those whose personal data is entered into the AI system. Organizations must also be transparent about the legitimate business objectives they use AI and the guidelines in which they operate.
AI risk and impact assessment
An organization’s use of AI and risk assessments that consider the potential financial, legal or regulatory impact on an organization or harm society are fundamental requirements of an AI governance program.
