1/ Ok time for some *~Mastodon exclusive~* AI content, in honor of today being terrible at Twitter.
I want to share a novel and potentially controversial idea on how to regulate large AI models, specifically tied to the EU AI Act. I welcome criticism.
Here's the argument:
--It's getting more common that multiple companies are involved in developing an algorithmic application. Think a third party company using the GPT-3 API to generate cover letters.
This is the "AI Value Chain"
2/ As the number of companies building large & complex AI models expands, I expect more and varied formulations of the AI Value Chain. More instances of a "downstream" company making a business out of a big AI model
The EU, looking at the rise of these models (think GPT-3, Stable Diffusion, Gato), has termed them "general-purpose AI" and added regulatory requirements in some drafts of the EU AI Act
I think this confuses the nature of the problem
3/ The EU is considering regulating general-purpose AI (GPAI) models themselves - adding data, accuracy, risk management requirements & more
I don't think this will really work. I think the downstream uses of GPAI models to be so broad that improving the development of the GPAI process might sort of help, but doesn't guarantee downstream safety.
However, I am concerned about their downstream use, especially for hiring, educational access, financial services, public benefits - the big stuff.
4/ Instead, I think the EU should focus on making sure downstream developers have everything they need to make safe AI systems
Including the model objects.
That is, anytime a company wants to use AI for a high-risk purpose, they should have direct access to the AI model object.
This lets them run extensive testing, evaluate model-specific metrics, perform red-teaming/adversarial training, and fine-tune to ensure the model is safe and effective
5/ We can dispense with that technical jargon tho. An AI system is helping to make a decision.
In high-impact/high-risk scenarios (eg hiring, ed access, financial services, etc) it's insane that a company would make choices without fully understanding its own decisions
That's why they should have on hand large AI models (or GPAI, in EU's language) when they do it.
I make this case to the EU in my recent report - Reconciling the AI Value Chain with the EU AI Act
6/ However, there is a big and important downside to this approach
It encourages, in fact requires, proliferation of large AI models.
This comes with its own harms - such as those of automated harassment and disinformation, deepfakes, non-consensual pornography, and more
I acknowledge these are meaningful concerns. I also think there is nothing that regulation of AI models can really do here
The interventions are elsewhere (eg. better platform integrity, EU's DSA, etc)
7/ Critically, the EU's original proposal also does nothing to prevent proliferation harms
A well-documented and well-designed AI model can still be retrained on 4chan data. I don't have a solution for that problem.
BUT, that we cannot solve proliferation harms does not mean we should badly regulate _commercial harms_, which is what the EU AI Act is intended to address.
So, the EU AI Act should encourage, even require, AI model transfer for high-risk applications.
I welcome your thoughts.
Potential titles for the op-ed version of this argument:
* How to regulate the biggest baddest AI? Make the model move
* The Proliferation - Commercialization Tradeoff of AI Regulation
* Regulating General Purpose AI Doesn’t Make Sense (Yet)
@dgrobinson It is certainly true that it is expensive to train large models.
However, the compute needed to audit/assess these models is typically very accessible. Or at least, it takes relatively much much less compute.
Also... if they can't... that functionally means they have no idea how their system works. So, not sure requiring this testing is a problem in that case either.
Alex Engler
David Robinson