NTUF Comments to OMB on AI Governance

(PDF)

 

 

 

 

On behalf of National Taxpayers Union Foundation (NTUF), I welcome the opportunity to submit the following written comments in response to the Office of Management and Budget (OMB)’s request for comments on the U.S. government’s draft memorandum on advancing governance, innovation, and risk management for agency use of artificial intelligence (AI). Located in Washington, DC, National Taxpayers Union is the oldest taxpayer advocacy organization in the United States. Its affiliated think-tank, NTUF, conducts evidence-based research on economic and technology policy issues of interest to taxpayers, including U.S. and international approaches to artificial intelligence, emerging technologies, and data protection. 

 

NTUF appreciates the recognition by the Biden and Trump administrations of the need to create a well-balanced approach to AI governance that seeks to promote AI innovation while reducing potential AI risks and AI misuse by federal agencies. As the U.S. government seeks to develop the U.S. AI strategy further, it has an opportunity to craft well-designed AI policies that will contribute to America’s position as a global center of responsible AI innovation. We believe that the U.S. government’s guidelines for agency use of AI would benefit from the following recommendations: 

 

 

 

 

 

 

A central challenge is that since individual regulators have the flexibility to issue guidelines and adjust rules based on broader AI principles, there is a risk that such guidelines are not applied uniformly across different sectors. Such differences will not only create market uncertainties but will also pose a particular challenge when certain AI applications come under the jurisdiction of multiple regulators. A hypothetical example would entail the regulation of an AI-enabled investment advisory product dealing with the personal data of users – which could be subject to the overlapping jurisdiction of the Federal Trade Commission, the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau, and even state regulators. The U.S. AI frameworks should, therefore, design preemptive mechanisms to address the potential challenge of regulatory inconsistencies that could arise in a more flexible, decentralized AI governance approach. 

 

The UK’s proposed mechanisms for the implementation of its AI framework could provide a useful starting point for U.S. policymakers to think more analytically about such issues and design policies accordingly. The UK’s AI White Paper proposes seven supporting mechanisms for the following objectives: i) monitoring the overall effectiveness of the AI framework; ii) supporting the coherent application of AI principles across the economy; iii) assessing and addressing cross-sectoral risks from AI applications; iv) providing support and guidance to businesses; v) improving business awareness and consumer awareness of trustworthy AI; vi) conducting horizontal scanning for emerging risks and regulatory trends; and vii) monitoring global regulatory developments. 

 

 

 

 

 

 

 

While the European Union’s risk-based approach sounds reasonable on a prima facie basis, it has two major problems. First, unlike the UK’s context-specific approach, the EU’s one-size-fits-all approach to risk assessment fails to distinguish adequately between risks associated with different AI applications within the same sector. For instance, whereas the EU’s AI Act would treat all AI-enabled tasks related to the operation and management of critical infrastructure as “high risk,” the UK’s context-specific approach recognizes that, even within high-risk sectors like critical infrastructure, not all AI-enabled tools carry the same risks and should not be subject to uniform compliance and liability standards. 

 

Under the European Union’s proposed AI Act, low-risk AI applications within sectors classified as “high-risk” –such as education, employment, and law – would be subject to much more restrictive regulations than would be the case under the UK’s AI framework (Table 2). For example, since the EU considers the use of AI in education as high risk, AI-enabled language proficiency examinations by online platforms  – which often provide a much cheaper and more accessible alternative to traditional language tests like the TOEFL and IELTS– would be subject to the same compliance standards as the use of AI in other high-risk areas like medical diagnostics and critical infrastructure. Such a restrictive approach risks hampering innovation in online learning platforms, legal services, and other areas that the EU classifies as “high risk” under the AI Act. 

 

Notwithstanding this restrictive approach, the AI Act’s risk assessment framework might struggle to be flexible in addressing future risks. Although generative AI applications like ChatGPT have become widespread since the autumn of last year, the pace and scope of their rapid development would have been difficult to predict even five years ago. Likewise, despite the best efforts of lawmakers, regulators, and technologists alike, the business of making predictions about future AI risks remains a highly uncertain one. As such, it is difficult to accurately predict the AI landscape ten years from now and the unique set of risks and challenges such developments will pose. If the U.S. adopts a similar approach of classifying prespecified AI uses as “high risk” in statutes, it risks constraining innovation while remaining less flexible in identifying and mitigating future AI risks. 

 

Compared to the EU’s approach, the UK’s proposed strategy of continuously monitoring AI risks and enabling public-private collaboration to identify emerging risks represents a more flexible approach to risk management. Instead of classifying a list of AI applications as high risk, the UK has proposed a principles-based risk assessment framework, which sectoral regulators will use to evaluate risks within their regulatory remit. Furthermore, the UK government has proposed the creation of “central risk functions” – separate from sectoral regulators – that would play a central role in monitoring the effectiveness of the AI framework, monitoring current and future AI risks, and providing advice to the government on which risks should be prioritized. With closer regulatory cooperation between the government, regulators, and the private sector, this approach is more likely to enable more robust monitoring of potential AI risks, as well as the introduction or calibration of appropriate statutory instruments to address future risks as they emerge. 

 

A comparable U.S. mechanism – involving Congress and the federal government, sectoral regulators, the private sector, and independent risk evaluators – could be designed to identify and respond to future AI risks (Table 3). As part of this arrangement, Congress and the federal government would establish the overall U.S. AI framework and clarify risk management guidelines for sectoral regulators based on the AI framework. In turn, the sectoral regulators would enforce such guidelines within their regulatory remit, address prioritized AI risks, calibrate rules based on regulatory experience and stakeholder input, and recommend whether the U.S. AI framework should prioritize other emerging risks (Table 3). The central risk function – ideally comprising experts, officials, and private sector representatives independent of the sectoral regulators – would evaluate the effectiveness of this framework, identify emerging AI risks, advise Congress and the federal government whether an intervention is required to address such risks, and if so, which regulators are best suited to address such emerging risks (Table 3). 

 

 

Source: Author based on DSTI and UK Office for AI (2023) 

 

 

The U.S. government should create sectoral AI sandboxes to maximize the benefit of a flexible, innovation-focused approach to AI regulation. Such programs would allow innovative companies to offer innovative AI products under close regulatory supervision for a limited period and receive regulatory waivers, expedited registration, and/or guidance for compliance with relevant laws. Meanwhile, regulators can gain a more in-depth understanding of how emerging AI technologies and business models interact with the existing sectoral rules. Based on such insights, policymakers can craft better rules that help promote AI innovation while minimizing potential risks. 

 

Recognizing the innovation potential of AI sandboxes, the OECD recommends the creation of such programs at the national level. Following its recently concluded consultation, the UK government is currently evaluating different models of designing AI sandbox program(s). Likewise, as outlined in the draft EU Act, the European Commission encourages the creation of national AI sandboxes in member states (Spain launched the first such sandbox last year). However, such programs need to be designed appropriately to maximize their innovation potential, as pointed out in our recent letter to the White House and consultation response to the UK government. 

 

More specifically, U.S. lawmakers should consider creating sector-specific sandboxes to promote AI innovation in specific sectors and update sectoral legal frameworks accordingly. Furthermore, while sandboxes should entail close regulatory supervision and appropriate consumer protection provisions, they must also provide regulatory relief and guidance to make such programs attractive to innovative businesses. Finally, making AI sandboxes open to non-U.S. companies could help attract innovative foreign businesses to the United States and promote AI innovation. 

 

Beyond AI sandboxes, the United States should consider other mechanisms – such as joint declarations, Executive agreements, and joint research programs – to strengthen tech cooperation at the bilateral level. In this context, the Joint U.S.-UK Declaration on Cooperation in AI Research and Development in September 2020 and the Atlantic Declaration in June 2023 were steps in the right direction.  Likewise, the U.S.-EU Digital Trade and Technology Council represents another forum through which the United States could pursue closer economic and technological cooperation with the EU and EU member states. Similar opportunities also exist for bilateral cooperation with Switzerland and Japan, which seek to adopt a flexible, light-touch approach to AI governance. Establishing research partnerships – similar to Canada and the UK’s arrangements with Japan and the EU–could also help deepen U.S. technology cooperation with like-minded nations.

 

Ultimately, the U.S. government must look beyond bilateral relationships and strengthen its multilateral engagement in global AI governance. Although the United States is part of several multilateral fora and institutions that are active in AI governance – such as the OECD and the Global Partnership on AI – the U.S. appears to punch below its weight in shaping AI norms through these organizations. By participating more actively in such organizations–-as has been the case with Japan and the UK’s multi-stakeholder, multilateralist approach to AI governance–-the U.S. government can more actively contribute to the development of international AI norms and technical standards.