So you want your company to begin using artificial intelligence. Before rushing to adopt AI, consider the potential risks including legal issues around data protection, intellectual property, and liability. Through a strategic risk management framework, businesses can mitigate major compliance risks and uphold customer trust while taking advantage of recent AI advancements.

Check your training data

First, assess whether the data used to train your AI model complies with applicable laws such as India’s 2023 Digital Personal Data Protection Bill and the European Union’s General Data Protection Regulation, which address data ownership, consent, and compliance. A timely legal review that determines whether collected data may be used lawfully for machine-learning purposes can prevent regulatory and legal headaches later.

That legal assessment involves a deep dive into your company’s existing terms of service, privacy policy statements, and other customer-facing contractual terms to determine what permissions, if any, have been obtained from a customer or user. The next step is to determine whether such permissions will suffice for training an AI model. If not, additional customer notification or consent likely will be required.

Different types of data bring different issues of consent and liability. For example, consider whether your data is personally identifiable information, synthetic content (typically generated by another AI system), or someone else’s intellectual property. Data minimization—using only what you need—is a good principle to apply at this stage.

Pay careful attention to how you obtained the data. OpenAI has been sued for scraping personal data to train its algorithms. And, as explained below, data-scraping can raise questions of copyright infringement. In addition, U.S. civil action laws can apply because scraping could violate a website’s terms of service. U.S. security-focused laws such as the Computer Fraud and Abuse Act arguably might be applied outside the country’s territory in order to prosecute foreign entities that have allegedly stolen data from secure systems.

Watch for intellectual property issues

The New York Times recently sued OpenAI for using the newspaper’s content for training purposes, basing its arguments on claims of copyright infringement and trademark dilution. The lawsuit holds an important lesson for all companies dealing in AI development: Be careful about using copyrighted content for training models, particularly when it’s feasible to license such content from the owner. Apple and other companies have considered licensing options, which likely will emerge as the best way to mitigate potential copyright infringement claims.

To reduce concerns about copyright, Microsoft has offered to stand behind the outputs of its AI assistants, promising to defend customers against any potential copyright infringement claims. Such intellectual property protections could become the industry standard.

Companies also need to consider the potential for inadvertent leakage of confidential and trade-secret information by an AI product. If allowing employees to internally use technologies such as ChatGPT (for text) and Github Copilot (for code generation), companies should note that such generative AI tools often take user prompts and outputs as training data to further improve their models. Luckily, generative AI companies typically offer more secure services and the ability to opt out of model training.

Look out for hallucinations

Copyright infringement claims and data-protection issues also emerge when generative AI models spit out training data as their outputs.

That is often a result of “overfitting” models, essentially a training flaw whereby the model memorizes specific training data instead of learning general rules about how to respond to prompts. The memorization can cause the AI model to regurgitate training data as output—which could be a disaster from a copyright or data-protection perspective.

Memorization also can lead to inaccuracies in the output, sometimes referred to as “hallucinations.” In one interesting case, a New York Times reporter was experimenting with Bing AI chatbot Sydney when it professed its love for the reporter. The viral incident prompted a discussion about the need to monitor how such tools are deployed, especially by younger users, who are more likely to attribute human characteristics to AI.

Hallucinations also have caused problems in professional domains. Two lawyers were sanctioned, for example, after submitting a legal brief written by ChatGPT that cited nonexistent case law.

Such hallucinations demonstrate why companies need to test and validate AI products to avoid not only legal risks but also reputational harm. Many companies have devoted engineering resources to developing content filters that improve accuracy and reduce the likelihood of output that’s offensive, abusive, inappropriate, or defamatory.

Keeping track of data

If you have access to personally identifiable user data, it’s vital that you handle the data securely. You also must guarantee that you can delete the data and prevent its use for machine-learning purposes in response to user requests or instructions from regulators or courts. Maintaining data provenance and ensuring robust infrastructure is paramount for all AI engineering teams.

“Through a strategic risk management framework, businesses can mitigate major compliance risks and uphold customer trust while taking advantage of recent AI advancements.”

Those technical requirements are connected to legal risk. In the United States, regulators including the Federal Trade Commission have relied on algorithmic disgorgement, a punitive measure. If a company has run afoul of applicable laws while collecting training data, it must delete not only the data but also the models trained on the tainted data. Keeping accurate records of which datasets were used to train different models is advisable.

Beware of bias in AI algorithms

One major AI challenge is the potential for harmful bias, which can be ingrained within algorithms. When biases are not mitigated before launching the product, applications can perpetuate or even worsen existing discrimination.

Predictive policing algorithms employed by U.S. law enforcement, for example, have been shown to reinforce prevailing biases. Black and Latino communities wind up disproportionately targeted.

When used for loan approvals or job recruitment, biased algorithms can lead to discriminatory outcomes.

Experts and policymakers say it’s important that companies strive for fairness in AI. Algorithmic bias can have a tangible, problematic impact on civil liberties and human rights.

Be transparent

Many companies have established ethics review boards to ensure their business practices are aligned with principles of transparency and accountability. Best practices include being transparent about data use and being accurate in your statements to customers about the abilities of AI products.

U.S. regulators frown on companies that overpromise AI capabilities in their marketing materials. Regulators also have warned companies against quietly and unilaterally changing the data-licensing terms in their contracts as a way to expand the scope of their access to customer data.

Take a global, risk-based approach

Many experts on AI governance recommend taking a risk-based approach to AI development. The strategy involves mapping the AI projects at your company, scoring them on a risk scale, and implementing mitigation actions. Many companies incorporate risk assessments into existing processes that measure privacy-based impacts of proposed features.

When establishing AI policies, it’s important to ensure the rules and guidelines you’re considering will be adequate to mitigate risk in a global manner, taking into account the latest international laws.

A regionalized approach to AI governance might be expensive and error-prone. The European Union’s recently passed Artificial Intelligence Act includes a detailed set of requirements for companies developing and using AI, and similar laws are likely to emerge soon in Asia.

Keep up the legal and ethical reviews

Legal and ethical reviews are important throughout the life cycle of an AI product—training a model, testing and developing it, launching it, and even afterward. Companies should proactively think about how to implement AI to remove inefficiencies while also preserving the confidentiality of business and customer data.

For many people, AI is new terrain. Companies should invest in training programs to help their workforce understand how best to benefit from the new tools and to use them to propel their business.

With the rapid proliferation of AI systems, public policymakers and industry leaders are calling for clearer guidance on governing the technology. The majority of U.S. IEEE members express that the current regulatory approach to managing artificial intelligence (AI) systems is inadequate. They also say that prioritizing AI governance should be a matter of public policy, equal to issues such as health care, education, immigration, and the environment. That’s according to the results of a survey conducted by IEEE for the IEEE-USA AI Policy Committee.

We serve as chairs of the AI Policy Committee, and know that IEEE’s members are a crucial, invaluable resource for informed insights into the technology. To guide our public policy advocacy work in Washington, D.C., and to better understand opinions about the governance of AI systems in the U.S., IEEE surveyed a random sampling of 9,000 active IEEE-USA members plus 888 active members working on AI and neural networks.

The survey intentionally did not define the term AI. Instead, it asked respondents to use their own interpretation of the technology when answering. The results demonstrated that, even among IEEE’s membership, there is no clear consensus on a definition of AI. Significant variances exist in how members think of AI systems, and this lack of convergence has public policy repercussions.

Overall, members were asked their opinion on how to govern the use of algorithms in consequential decision-making and on data privacy, and whether the U.S. government should increase its workforce capacity and expertise in AI.

The state of AI governance

For years, IEEE-USA has been advocating for strong governance to control AI’s impact on society. It is apparent that U.S. public policy makers struggle with regulation of the data that drives AI systems. Existing federal laws protect certain types of health and financial data, but Congress has yet to pass legislation that would implement a national data privacy standard, despite numerous attempts to do so. Data protections for Americans are piecemeal, and compliance with the complex federal and state data privacy laws can be costly for industry.

Numerous U.S. policymakers have espoused that governance of AI cannot happen without a national data privacy law that provides standards and technical guardrails around data collection and use, particularly in the commercially available information market. The data is a critical resource for third-party large-language models, which use it to train AI tools and generate content. As the U.S. government has acknowledged, the commercially available information market allows any buyer to obtain hordes of data about individuals and groups, including details otherwise protected under the law. The issue raises significant privacy and civil liberties concerns.

Regulating data privacy, it turns out, is an area where IEEE members have strong and clear consensus views.

Survey takeaways

The majority of respondents—about 70 percent—said the current regulatory approach is inadequate. Individual responses tell us more. To provide context, we have broken down the results into four areas of discussion: governance of AI-related public policies; risk and responsibility; trust; and comparative perspectives.

Governance of AI as public policy

Although there are divergent opinions around aspects of AI governance, what stands out is the consensus around regulation of AI in specific cases. More than 93 percent of respondents support protecting individual data privacy and favor regulation to address AI-generated misinformation.

About 84 percent support requiring risk assessments for medium- and high-risk AI products. Eighty percent called for placing transparency or explainability requirements on AI systems, and 78 percent called for restrictions on autonomous weapon systems. More than 72 percent of members support policies that restrict or govern the use of facial recognition in certain contexts, and nearly 68 percent support policies that regulate the use of algorithms in consequential decisions.

There was strong agreement among respondents around prioritizing AI governance as a matter of public policy. Two-thirds said the technology should be given at least equal priority as other areas within the government’s purview, such as health care, education, immigration, and the environment.

Eighty percent support the development and use of AI, and more than 85 percent say it needs to be carefully managed, but respondents disagreed as to how and by whom such management should be undertaken. While only a little more than half of the respondents said the government should regulate AI, this data point should be juxtaposed with the majority’s clear support of government regulation in specific areas or use case scenarios.

Only a very small percentage of non-AI focused computer scientists and software engineers thought private companies should self-regulate AI with minimal government oversight. In contrast, almost half of AI professionals prefer government monitoring.

More than three quarters of IEEE members support the idea that governing bodies of all types should be doing more to govern AI’s impacts.

Risk and responsibility

A number of the survey questions asked about the perception of AI risk. Nearly 83 percent of members said the public is inadequately informed about AI. Over half agree that AI’s benefits outweigh its risks.

In terms of responsibility and liability for AI systems, a little more than half said the developers should bear the primary responsibility for ensuring that the systems are safe and effective. About a third said the government should bear the responsibility.

Trusted organizations

Respondents ranked academic institutions, nonprofits and small and midsize technology companies as the most trusted entities for responsible design, development, and deployment. The three least trusted factions are large technology companies, international organizations, and governments.

The entities most trusted to manage or govern AI responsibly are academic institutions and independent third-party institutions. The least trusted are large technology companies and international organizations.

Comparative perspectives

Members demonstrated a strong preference for regulating AI to mitigate social and ethical risks, with 80 percent of non-AI science and engineering professionals and 72 percent of AI workers supporting the view.

Almost 30 percent of professionals working in AI express that regulation might stifle innovation, compared with about 19 percent of their non-AI counterparts. A majority across all groups agree that it’s crucial to start regulating AI, rather than waiting, with 70 percent of non-AI professionals and 62 percent of AI workers supporting immediate regulation.

A significant majority of the respondents acknowledged the social and ethical risks of AI, emphasizing the need for responsible innovation. Over half of AI professionals are inclined toward nonbinding regulatory tools such as standards. About half of non-AI professionals favor specific government rules.

A mixed governance approach

The survey establishes that a majority of U.S.-based IEEE members support AI development and strongly advocate for its careful management. The results will guide IEEE-USA in working with Congress and the White House.

Respondents acknowledge the benefits of AI, but they expressed concerns about its societal impacts, such as inequality and misinformation. Trust in entities responsible for AI’s creation and management varies greatly; academic institutions are considered the most trustworthy entities.

A notable minority oppose government involvement, preferring non regulatory guidelines and standards, but the numbers should not be viewed in isolation. Although conceptually there are mixed attitudes toward government regulation, there is an overwhelming consensus for prompt regulation in specific scenarios such as data privacy, the use of algorithms in consequential decision-making, facial recognition, and autonomous weapons systems.

Overall, there is a preference for a mixed governance approach, using laws, regulations, and technical and industry standards.