Ethics

Note: I am on the advisory board of the Risk and AI certification program of the Global Association of Risk Professionals (GARP). The following is part of the training materials for that program.

Ethical Frameworks

Three common ethical frameworks worth considering in the context of AI include the following: Consequentialism, which is an ethical theory that judges the morality of an action based on the consequences of that action; Deontology, which is an ethical framework that judges the morality of actions based on adherence to ethical duties and rules rather than focusing on consequences; and Virtue Ethics, which emphasizes virtuous character traits and living a good life, rather than rules or consequences.

Consequentialism

Consequentialism is an ethical theory that judges the morality of an action based on the consequences of that action.

At its core, consequentialism focuses on the outcomes or results of an action to determine whether it is right or wrong. The most common form is utilitarianism, which aims to maximize overall utility. Utility is often defined in terms of pleasure, happiness, or the satisfaction of desires. Under utilitarianism, the morally correct action in any situation is the one that produces the greatest net utility for all affected.

For example, designing or implementing a particular AI system would be considered morally good under utilitarianism if it increases the overall pleasure across society more than other actions one could take. Actions are not intrinsically moral, but derive their moral value solely from their results. Utilitarianism is forward-looking, circumstantially relative, and focused on end consequences. Two of the most famous proponents of this approach were Jeremy Bentham and John Stuart Mill.

A key advantage of consequentialism is that it provides a single, quantifiable metric for determining moral value. One shortcoming, however, is that the choice of metric is highly subjective, and quantification of value can be challenging. Utilitarian calculations aim to be impartial, objective, and amenable to scientific measurement of utility. However, consequences are often unpredictable, and it is unclear where the calculation should stop (i.e., should we consider only immediate consequences, or also the consequences of the consequences, and the consequences of those, etc.?).

Critics of utilitarianism and other forms of consequentialism argue that always maximizing utility can lead to actions that many consider immoral, like severely violating individual rights for the greater good. Utilitarianism struggles with situations in which utility is maximized by something most would consider unethical. The classic example is one in which a doctor has the chance to kill an unfriendly patient to use his organs and save five other patients. In the realm of AI, someone could justify implementing an AI system that violates rights with the justification of it being more efficient and therefore saving resources.

In response, some consequentialists grant moral weight to following general moral rules (as opposed to acts) that tend to maximize utility. Rule consequentialists judge acts by whether they adhere to utility-maximizing rules, not only by their case-specific outcomes. This workaround addresses some issues with utilitarianism by ensuring rules against murder, lying, and the like are upheld even when breaking them may increase utility in isolated cases. The doctor should not kill her patient because that would undermine trust in the medical system. We should not implement AI systems that violate rights because, in the long run, that would create more problems than it solves. Some theorists, however, believe that rule consequentialism collapses into deontology.

Deontology

Deontology is an ethical framework that judges the morality of actions based on adherence to ethical duties and rules rather than focusing on consequences.

One of deontology’s most important proponents is Immanuel Kant. According to Kant, individuals have a moral obligation to act in a way that is universally applicable and treats others as ends in themselves, rather than only as means to an end. In other words, we shouldn’t treat people like things. People are ends in themselves, in that they have their own values and goals as a part of being autonomous.

The categorical imperative, a fundamental principle of Kantian ethics, asserts that one should act only according to maxims that could be willed as a universal law without contradiction, such as, “It’s wrong to lie.” Kant emphasizes the importance of moral principles, rationality, and a sense of duty in guiding ethical decision making, irrespective of the consequences.

Morality, in Kant's view, is grounded in reason and the intrinsic value of individuals, providing a principled foundation for ethical behavior. Kant is famous for not having placed moral weight on consequences. In his view, lying is always wrong, irrespective of potential consequences.

Most contemporary deontologists care about consequences and grant them moral weight. For a deontologist, however, consequences are not the only moral consideration worth taking into account and, for most deontologists, there will be red lines that should not be crossed even when it seems like the consequences might be beneficial overall.

Rights, rules, and ethical principles are all deontological in nature. They provide ethical guidance of what to do and what not to do that goes beyond consequences.

Virtue Ethics

Virtue ethics emphasizes virtuous character traits and living a good life, rather than rules or consequences. It has roots in ancient Greek philosophers like Aristotle, who taught that happiness comes from living a life guided by virtues.

The key question in virtue ethics is, "What kind of person should I be?" Rather than focusing on universal duties or maximizing utility, virtue ethicists ask what character traits we should cultivate to live well. These virtues include wisdom, courage, humanity, justice, temperance, and generosity. Acting virtuously means exercising practical wisdom to moderate our emotions, appetites, and behavior appropriately in each situation.

Virtue ethicists believe we should aspire to ideals of human excellence. Virtues are nurtured through practice, habit, and modeling virtuous exemplars. One way to approach ethical dilemmas from a virtue ethics point of view is to ask what a virtuous agent would do in a particular situation; the agent can be thought of in the abstract or as a concrete example (e.g., What would Jesus, Mohammed, Solomon, Gandhi, etc. do in this circumstance?). Virtue ethics sees morality as a matter of character built over a lifetime, not just discrete acts.

Critics argue virtue ethics lacks clear guidance for moral decisions compared to duty-based or consequentialist approaches. Because different virtues can conflict, how to weigh them is unclear. Virtue ethicists counter that practical wisdom helps navigate hard cases, and that they are in no disadvantage with respect to other theories; moral duties can also conflict, and consequences are not always comparable. Virtue ethics also integrates well with common morality, given that most people seem to learn about morality through habituation in the context of socialization (e.g., parents teaching us over and over how to behave kindly toward others).

Modern developments in virtue ethics expand its scope beyond individual character. For organizations and societies, virtues might include justice, accountability, environmental stewardship, and responsible innovation. Virtue ethics is seeing renewed interest across disciplines like moral psychology and business ethics. In the context of AI, some scholars have suggested that to build AI that is ethical, we must build it in a virtue ethics way, which would imply it learning from experience and habit, like children do. Otherwise, morality is so complex that we might never be able to code it in a top-down approach.

As mentioned before, consequentialism, deontology, and virtue ethics are not mutually exclusive, and in the context of practical ethics, they complement one another. The best kind of moral decision is one that accords with all three theories, that is, an act that maximizes good consequences, respects rights, complies with ethical principles, and embodies virtues.

What Can AI Ethics Learn From Medical Ethics?

In considering a constructive path for AI ethics, it may be helpful to turn to another realm within practical ethics with a more extensive history: medical ethics.

Ethical concerns have a long history in the field of medicine, given its direct involvement in matters of life and death. The Hippocratic Oath, thought to have been first written in Greece between the fifth and third centuries BCE, emphasizes the importance of physicians doing no harm to patients. Since that time, there have been various attempts at formalizing a code of medical ethics and exploring issues related to medical ethics.

The American Medical Association adopted its first code of ethics in 1847, drawing on earlier work done in the UK. There was an acceleration of, and an increased attention to issues surrounding medical ethics in the 20th century, which saw the creation of several important documents, including the Nuremberg Code (1947), the Declaration of Geneva (1948), the Declaration of Helsinki (1964), and the Belmont Report (1978). Medical ethics became more fully evolved in the 1970s, driven by factors including the increased concentration of medical care in hospitals and other depersonalized settings, the rising cost of medical care and increased role of government in health insurance funding, the development of “patients’ rights” as an outgrowth of broader efforts around civil rights, public outrage at medical scandals such as the Tuskegee Syphilis Experiment, and rapid advances in technology.

Technological advances posed new ethical challenges for doctors that needed solutions. The advent of the mechanical ventilator, for instance, prompted a reconsideration of the concept of death and led to the development of ethics surrounding organ transplantation. Physicians were now confronted with the dilemma of warm, heart-beating bodies with non-functioning brains, who presented an opportunity for organ procurement for transplantation. Whether to take the organs of these bodies is a moral question, not a medical one.

Practical needs, therefore, were an impetus behind the establishment of ethical frameworks, emphasizing that the responsibility of resolving ethical dilemmas should not rest solely on healthcare professionals, whose expertise lies in maintaining health rather than navigating ethical complexities.

In a manner not wholly dissimilar to that of the medical field in the 1970s, AI and other digital technology companies have found themselves to be central figures in significant controversies in recent years. As people have become concerned about the potential impact of digital practices on their lives, demand for ethical standards has grown.

Furthermore, with rapid advances in technology related to the collection, analysis, and utilization of personal data, along with the design of new applications, platforms, and tools such as autonomous cars, novel ethical dilemmas have arisen. Engineers, programmers, data analysts, risk managers, CIOs, CEOs, and Boards find themselves faced with new challenges that their training and experience may not fully equip them to face.

Principles of AI Ethics

Although most AI ethics codes contain long lists of principles, the following principles of nonmaleficence, beneficence, justice, autonomy, and explainability are both relevant and common.

Nonmaleficence

The principle of nonmaleficence asserts an obligation to avoid harming others or inflicting injuries. Part of what it means to avoid harming others is a prohibition on imposing risks of harm that are not justified or that outweigh potential benefits. In other words, not only should you not go around hurting others (e.g., subjecting them to algorithms that can harm them), but you should also not impose unnecessary or unjustified risk on others (e.g., subject them to untested algorithms that could be harmful).

Nonmaleficence does not prohibit all types of harm unconditionally. Some level of risk is permissible if it enables benefits that justify that risk, or if no alternatives are available. For instance, medical procedures (and clinical trials) inherently incur some risk but may still be justified by their necessity and benefits.

Importantly, it matters who is making the decision, and who will bear the brunt of the harm if things go badly. It is more ethically acceptable to impose risks on people who stand to benefit from whatever the proposed action is. For example, very risky clinical research may be morally acceptable if the research subjects suffer from a sufficiently serious ailment and stand to benefit from the research if it goes well. The same risky research may very well be considered morally unacceptable on healthy research subjects, or on research subjects who have an ailment that does not stand to be cured by the research. An analogous situation in AI would be considering it unacceptable for people who are at no risk of harm to impose algorithmic risks on people who do not stand to gain from those risks.

Beneficence

The principle of beneficence refers to the moral obligation to act for the benefit of others. Beneficence requires taking positive steps to help others, rather than simply refraining from harm. It moves beyond nonmaleficence, which tells us not to injure others, and commands us to advance the welfare and legitimate interests of people in need. Beneficence could include acts like donating to charity, volunteering, and providing resources or assistance to improve people's lives.

A common misunderstanding is that beneficence is solely an outcome-focused, consequentialist concept. However, duty-based deontological frameworks include beneficence as an obligation we must fulfill above and beyond what may maximize utility.

There are limits to the duty of beneficence, however. No one individual can alleviate all suffering in the world, so reasonable constraints apply. Considerations like scarce resources, competing obligations, reasonableness, and demandingness (i.e., there’s only so much ethics can demand of individuals) should factor into determining the extent of our duty of beneficence. Additionally, the recipient's right to autonomy may preclude unwanted "benefits" that disrespect personal agency and choice. People have a right to decide what is best for them, and with some exceptions (e.g., public health worries, or worries about whether a person is autonomous), that right usually trumps unwanted offers of beneficence. Nonetheless, within these bounds, actively pursuing the welfare and legitimate interests of others remains a key deontological duty.

In the context of AI, one way to think about beneficence is a duty that AI systems benefit humanity in some way. At a minimum, an AI system should offer solutions to problems, and be designed to improve the lives of those who interact with it.

Justice

Justice refers to the moral obligation to act in accordance with principles of fairness, equality, impartiality, and proportionality. In ethics, justice requires giving each person his or her proper due while upholding duties toward fairness and equality.

There are different concepts of justice. Procedural justice demands fair processes and impartiality. Distributive justice focuses on equitable allocation of benefits and burdens in society. Restorative justice aims to repair harms through reconciling victims and offenders. Interactional justice concerns respect and fairness between individuals. Social justice refers to just institutions in society that provide for basic rights and needs.

Justice is concerned with ensuring human rights are respected, resources are distributed equitably, opportunities are available to all, the law is applied impartially, and no one is discriminated against unfairly. Violations of justice may lead to human rights abuses, discrimination, corruption, inequality, and exploitation of vulnerable groups.

However, there are debates around what constitutes a just distribution of goods or a fair process. Different principles of justice - like egalitarianism, utilitarianism, meritocracy, or need-based allocation - can conflict. There are also disagreements around what goods justice should be concerned with distributing, like resources, opportunities, power, or welfare.

Despite these debates, there is broad agreement that justice is a vital moral principle and remains a cornerstone of ethics. To enjoy legitimacy, moral decisions must be justifiable to all and align with what is fair. Another point on which there is broad agreement is that, as a matter of justice, people should not be discriminated against for characteristics that are morally irrelevant (e.g., race).

Autonomy

Autonomy refers to the capacity of people to make their own informed, un-coerced decisions about their lives and actions. As an ethical principle, autonomy commands respecting and supporting others' abilities to determine their own course in life.

In cases in which autonomy may be constrained because a person lacks the capacity to make rational decisions (i.e., children, unconscious patients, and patients who lack certain crucial cognitive abilities), a surrogate decision maker, such as a family member or a legal guardian, may need to act in the individual's best interests.

Autonomy has roots in humanistic and existentialist traditions. It depends on capacities for self-awareness, independent decision making, critical reflection, and personal freedom. Infringing on someone's autonomy contravenes her right to direct her own life.

In healthcare, respect for autonomy is crucial. Patients have a right to voluntary informed consent and refusal regarding their treatment. The doctor’s duty is to inform the patient appropriately, and it is up to the patient to decide what, if any treatment to pursue. Coercion, deception, manipulation, and undue influence all undermine autonomy.

An ethical AI system respects people’s autonomy by not using coercive or manipulative tactics to get people to act in a particular way. Technology should help people further their own life goals, as opposed to trying to further the goals of third parties (e.g., companies, governments, etc.).

Explainability

The ethical principle of explainability (sometimes called explicability) has gained significant attention in the context of AI. It refers to the idea that AI systems, especially those with decision-making capabilities, should provide transparent and understandable explanations for their actions or decisions.

One reason explainability is thought to be important is for the purposes of accountability. Decisions made by AIs (particularly in areas like healthcare, finance, and criminal justice) can have a profound impact on individuals' lives. Ensuring that AI systems can explain their decisions is essential for being able to hold accountable the companies and people that design and implement them. It can also help identify and rectify errors, biases, or unfair practices.

Explainability is also thought to further trust. Trust is a fundamental component of the adoption and acceptance of AI technologies. If users or stakeholders cannot understand how a system reaches its conclusions, they are less likely to trust it. Explainability fosters trust by making AI systems more transparent and predictable.

Without the ability to explain why an AI system made a particular decision, it becomes harder to ensure that it adheres to ethical guidelines and respects individual rights.

There are various levels and types of explainability in AI:

Local explainability focuses on explaining the decisions of a specific AI model on a single instance or prediction. Local explanations provide insights into why a particular decision was made for a particular case.

Global explainability looks at an AI model’s overall behavior and decision-making processes. It provides a more comprehensive understanding of how the model operates across various inputs.

Model-specific explainability refers to the fact that some AI models have specific explainability techniques tailored to their architecture. For example, decision trees have intuitive rules for explaining their decisions, whereas deep neural networks may require different methods. In contrast, model-agnostic methods are designed to work with any AI model, making them more versatile. They don't rely on the specific architecture or algorithms used in the model.

There is considerable debate about what exactly counts as an explanation and to whom an explanation is owed. The former partially depends on the latter because the explanations intended for experts will likely differ from the kinds of explanations that are intended for regulators or ordinary citizens.

What counts as a good explanation will likely vary depending on the kind of AI, but one popular approach is to develop counterfactual explanations. Consider a case in which an algorithm decides whether to grant loans. A counterfactual explanation might involve presenting a hypothetical scenario that contrasts with the actual decision. For instance, suppose the AI denies a loan to an individual based on certain criteria, such as having too little money in the bank, or earning too low a salary. A counterfactual explanation could be constructed by presenting an alternative scenario, stating the conditions under which the loan would have been approved (e.g., having $10,000 more in the bank, or earning $1,000 more per month as a salary). This counterfactual scenario helps the individuals understand the specific factors that led to the denial and provides actionable insights, such as increasing their salary or their bank savings. Counterfactual explanations contribute to transparency and help users comprehend the influence of different variables on AI decisions.

Bias, Discrimination, and Fairness

Bias within the realm of AI refers to a systemic deviation in the output or impact of an algorithm compared to a desired norm or standard. Essentially, an algorithm is considered biased when it deviates from its intended function. Suppose an algorithm is designed to identify the best job candidates for a position as an executive. If the algorithm tends to recommend for or against candidates based, not on their qualifications, but on an unrelated feature such as race or sex, then it is biased because it is deviating from its intended function.

A well-designed AI should align with its stated purpose, optimizing performance according to established standards. The aim is not to achieve an entirely “objective” algorithm, as every algorithm inherently reflects values embedded in its design. These values are shaped by the perspective that certain aspects are deemed valuable or important, as the algorithm strives to excel based on specific metrics. For instance, an algorithm assessing loan eligibility may prioritize a person's bank account balance, considering it relevant to optimizing loan repayment.

Not all biases are inherently problematic from an ethical standpoint. Justifiable biases can form part of a well-designed AI. Conversely, not all AIs that are statistically or legally unbiased are necessarily ethically acceptable. Even statistically unbiased algorithms can inflict unwarranted harm, such as implementing a service that charges exorbitant fees to everyone. The ethical concern when it comes to AI bias arises when biases result in unfairness, disadvantaging individuals for unjustifiable reasons in comparison to others.

Problematic Biases

Problematic biases in algorithms often occur unintentionally. Due to their complexity, algorithms can inadvertently incorporate ethically problematic biases. Four primary sources contribute to biases: This overview of biases is not exhaustive, and various categorizations exist that consider possible interactions and the multifaceted nature of biases in algorithms.

Biases in Problem Specification

An algorithm may exhibit bias from its inception if the goals it is designed to achieve contain inherent problems. Operationalizing complex goals is a nuanced task, and often, the selected target variables may fail to capture real-world objectives accurately. For instance, if a bank aims to eliminate all risks and lends only to individuals that it is certain will repay, it may inadvertently end up catering exclusively to affluent individuals. In such cases, modifying the target goals to accommodate a reasonable level of risk may be necessary. Another example is an algorithm that was meant to identify patients who are sicker to assist health professionals with triage, but that was using health care expenditure as a proxy, thereby favoring not the sickest patients, but the richest ones who tend to spend more on healthcare.

Biases in Data

If they rely on historical data, ML algorithms may tend to perpetuate biases from the past; this propensity is commonly known as historical bias. In addition to the use of historical data possibly perpetuating bias related to features such as sex and race, it can more broadly lead to inaccurate or malfunctioning algorithms, especially when lab data does not align with real-world trends.

Consider a theoretical dataset containing all relevant data for all the loans that have ever been made. That data would likely show that successful loans (i.e., loans that have been repaid in the agreed-upon time frame) have mostly been given to men, as women have been excluded from active participation in the banking system until relatively recently. If an algorithm used that full historical data set as input, it would likely favor men, even if there is no valid reason for such a preference. Likewise, a dataset that spanned the pre-pandemic years 2010-2019 that was used to help predict office vacancy rates and commuter rail volume for 2025-2030 may lead to inaccurate predictions because the patterns that existed in 2010-2019 may be significantly different from those in 2025-2030.

A different but related data challenge is that historical data rarely show counterfactual outcomes. This problem is called the selective labels problem. For example, a company probably doesn’t track the career progression of those it didn’t hire; therefore, it will never know whether it indeed hired the best candidate. A bank has data on the people to whom it gave loans, but it doesn’t have data on the people to whom it denied loans. The people who were denied loans might’ve become even better clients than those to whom it gave loans, but because it doesn’t have that data, it will continue to select people who are like those to whom it has granted loans in the past.

Another related but distinct kind of bias stemming from data is sampling bias. It is a bias that is well known in science. Sampling bias arises when the data sample is not random. If the data sampled are not random, the trends shown by the population under study may not generalize to another population. Let’s suppose that most of our data comes from young men. And let’s suppose that an AI finds that a particular drug at a certain dose is effective in treating pain. Even if that correlation were not spurious, it may not generalize to other groups such as women or the elderly.

Biases in Modeling, Validation, and Algorithm Design

Even when the problem specification is sound and the data unbiased, biases can emerge during the modeling, validation, and design phases of algorithms. Choices related to optimization functions, the application of different regression models, consideration of subgroups, and how information is presented can all introduce biases. For example, a search engine designed to help in selecting financial products may inadvertently favor popular items, perpetuating a cycle where popularity leads to increased exposure, irrespective of product quality. These biases can affect the overall fairness and effectiveness of algorithms, highlighting the importance of careful choices throughout the development process.

Biases in Deployment

Even when all other aspects are meticulously addressed, biases can still emerge when an unbiased algorithm is deployed in the real world. Consider an algorithm designed to assess the risk of a person defaulting on a loan. Suppose the algorithm is still undergoing testing, and its limitations are well-known, prompting a cautionary advisory against relying solely on it for decision making. However, in practice, some bank employees may defer entirely to the algorithm's suggestions. Some studies indicate that when human beings receive a suggestion from a computer, they often opt to defer to the automated system. There are a few hypotheses as to why people tend to defer to automatized systems. It might be because it’s convenient and time saving. It might also be because automatized systems appear to be more “objective” and people know their own fallibilities and that might create self-doubt. Perhaps deferring to an algorithm shields people from responsibility. At best, responsibility seems shared, whereas going against the recommendation of an algorithm might expose people who make mistakes to harsher judgments and blame. This tendency to do as we are told by an algorithm creates unintended incentive effects, where individuals might relinquish responsibility, allowing them to attribute blame to the algorithm in case of any issues. The implementation of algorithms can thus inadvertently shape behavior and decision-making processes in unanticipated ways.

When Does Bias Count As Discrimination?

Whether bias results in discrimination in a legal sense may vary depending on jurisdiction. In general, algorithmic bias is likely to lead to discrimination when it results in disfavoring people based on their race, sex, ethnicity, age, or any other classification protected by law. Such disadvantages typically violate legal protections, and designers, developers, deployers, supervisors of automated systems, and risk managers have an interest in taking proactive and continuous measures to protect against it.

Fairness

Fairness entails the absence of bias or preference toward an individual or group based on irrelevant characteristics, such as their race. An algorithm is considered fair when it does not exhibit problematic biases. There are two primary types of fairness: group and individual fairness. Group fairness involves statistical criteria, where, for example, in loan distribution, statistical parity would require the demographics of approved individuals mirror the overall population (if 51% of the population is female, 51% of loan recipients should be women). On the other hand, individual fairness emphasizes treating similar individuals similarly, even though defining similarity can pose challenges.

A significant challenge to ensuring fairness in AI algorithms relates to the mathematical impossibility of automating fairness when base rates are unequal. As cited previously, when base rates between populations are different, which is almost always the case, then it is impossible to satisfy demographic parity, predictive rate parity, and equal opportunity simultaneously. For instance, consider a scenario in which a majority of individuals who engage in certain criminal activities are men, and an AI is evaluating the risk of a specific man and woman committing a crime. If the AI assigns a higher risk score to the man, he may argue that he is being treated unfairly. Conversely, if the AI assigns a similar score to the woman, she may argue unfair treatment, given that women statistically exhibit a lower likelihood of committing those crimes. Automating fairness becomes feasible only when base rates are equal, which is seldom the case in reality. Fairness can ultimately be considered a moral or ethical judgment, not a mathematical one, and it can involve making imperfect compromises and trade-offs that might need to change in response to changing circumstances.

Fairness is not only about outcome, but about procedure. Procedural fairness provides reassurances, not only that a fair outcome will be sought, but that it will be sought through impartial and just processes. Take the justice system as an analogy. Procedural fairness involves having the right structures in place to have rule of law. Outcome fairness involves making sure guilty people receive an appropriate punishment and innocent people go free. Sometimes there are mistakes (e.g., innocent people can end up in jail and guilty people can be set free), but when there is a fair process in place, those mistakes can be justifiable (e.g., the evidence suggests guilt or innocence) and there are ways to right some wrongs (e.g., if new exculpatory evidence emerges, convicted individuals can be granted new trials and possibly be released and seek redress for an unfair outcome). In the context of AI ethics, the challenge is to create corporate structures that can carry out both procedural and outcome fairness. For instance, having an ethics committee that can weigh consequentialist, deontological, and virtue ethics considerations to develop and implement best practices can help achieve both outcome and procedural fairness.

Avoiding Problematic Biases and Unfairness

There is no such thing as an “objective” algorithm. Given that there is a mathematical impossibility to satisfy all definitions of fairness simultaneously, the task is not to avoid biases in general, but to avoid problematic biases. For example, it may be that the AI in self-driving cars must be tweaked to make it more sensitive to some people. If the algorithm is tweaked to be especially sensitive to identifying (and avoiding) children, its accuracy when it comes to identifying adults may be diminished.

What is most important is to be aware of trade-offs and to make decisions that are justifiable to the population at large, the stockholders, the stakeholders, regulators, and those who lose out. Consequentialist considerations to be considered in the self-driving car example would include calculating the potential risk of accidents using different versions of the AI. Deontological considerations would include taking care that an AI doesn’t disfavor people within protected categories (e.g., it could be that the self-driving car AI is better at identifying men because they tend to be larger), or include safety minimums below which we would not be willing to make compromises. Virtue ethics considerations would include putting in place processes for ethical decision making that would result in responsible professionals and a responsible company.

Among the tools that can help companies avoid problematic algorithmic biases are the following:

Technological solutions. Some toolkits are being developed to assess the amount of fairness in a system. Companies can create their own internal “auditing” systems to identify potential biases that their AIs display. Companies acquiring AIs from third parties can demand bias reports from providers (or, possibly even better, from independent assessors) to be aware of how the AIs they are using behave.

Although some technological tools can be helpful in identifying and avoiding bias, technology rarely solves bias problems on its own. This is partly because of the difficulty in automating fairness. If fairness cannot be automated, then algorithmic auditing for fairness cannot be automated either, and AI cannot solve the fairness problems that it creates.

Data quality. Ensuring that data is diverse, updated, accurate, representative, and free from past discriminatory tendencies goes a long way toward avoiding biases, but again, is not a panacea on its own. In some cases, it is possible to use synthetic data (fabricated datasets). The advantages of synthetic data include that it doesn’t entail privacy risks, given that the data does not come from real data subjects; synthetic data can also be more easily rid of problematic biases by design. The disadvantage is that sometimes synthetic data isn’t as precise as real data (especially when it comes to visual data), and that it might differ from real data in ways that are not obvious.

Auditing. Algorithmic auditing is likely the best way to identify and correct biases. There are private companies that offer this service. Auditing will include using technological tools and statistical analyses, but also a fresh and diverse look at your systems.

Ethical committees or similar structures. Instituting forums in which possible problematic biases can be discussed, and in which decisions about trade-offs can be made considering consequentialist, deontological, and virtue ethics considerations can help ensure procedural fairness and can contribute to outcome fairness.

Training for board and C-suite. Given the wide range of risks to which a firm might be exposed if AI models are designed and implemented in a manner that is not responsible or ethical, firm leadership should be educated as to the risks associated with AI and the importance of ethical/responsible AI practices to help mitigate those risks.

Privacy and Cybersecurity

In the context of AI, someone has privacy with respect to some person or institution and in reference to some personal data point if that person or institution has no access to that personal data point. In other words, we have privacy to the extent that others don’t have access to our personal information. Privacy is important because, among other things, it protects us from possible abuses of power. The more someone knows about you, the easier it is for them to interfere with your life.

Data security is doing what is necessary to prevent unauthorized access to data. Data security includes protecting data from attacks such as ransomware, which can encrypt or destroy data, as well as from theft, and from attacks that can corrupt data. It covers the physical security of hardware and storage devices, administrative and access controls, organizational policies and procedures (including employee training), and software applications.

Why is Privacy an Ethical Issue?

Privacy is an ethical issue because the lack of it can lead to wrongs, harms, and risks for individuals, institutions, and society at large. In ethics, wrongs are sometimes distinguished from harms. Wrongs can sometimes lead to harm, but they are immoral even when they don’t lead to harm. For example, cheating on your spouse wrongs them, even if they never find out about it and no tangible harm comes from it. Similarly, violating people’s privacy is wrong because it violates their moral and legal rights to privacy, and because it amounts to treating people instrumentally (as things, as a means to your objectives, and not as autonomous human beings).

Privacy losses can harm citizens in a variety of ways. Individuals can suffer discrimination, blackmail, exposure and public shaming, identity theft, and the like. Privacy losses are also a potential liability to institutions. Every personal data point is a potential lawsuit, a potential fine. Finally, privacy losses can result in harm to society. The extent of personal data collection, for example, has made it relatively easy for anyone (including foreign adversaries) to learn of sensitive information about military personnel or politicians and blackmail them, which can endanger national security and democracy in various ways.

The more personal data is collected, the longer it is stored, and the more it is analyzed and shared, the higher the risk of harm down the line. Personal data suffers from the very dangerous combination of being cheap to mine, very valuable, very sensitive and prone to being abused, and very hard to keep safe.

In cyberspace, defenders are at a disadvantage with respect to attackers. Whereas the attacker can choose the moment and method of attack, defenders must always protect themselves against every type of attack. If there’s an attacker with enough resources and motivation, it’s a matter of time before they get to the data they want. Arguably, the imposition of a risk amounts to a wrong (e.g., someone trying to kill you imposes an unjustifiable risk on you, and therefore a wrong, even if they fail).

Companies that collect more personal data than is needed are creating their own risk. One way to think about it is that personal data is a toxic, albeit potentially highly valuable asset. It might be cheap, easy to mine, and profitable, but it also exposes the company to risk of hacks, leaks, lawsuits, and more. Personal data can also be expensive to manage; given its sensitivity, it needs expensive infrastructure as well as legal teams to ensure compliance. Companies, therefore, have an incentive to consider the risks and rewards related to the collection, storage, and use of personal data when they design products and services.

Principles and Good Practices

Once again, making decisions about what personal data, if any, to collect, how to keep it safe, how to use it, and how and when to delete it will include a combination of technical and practical capabilities as well as ethical reflection. Consequentialist considerations will include: What are the best- and worst-case scenarios? How can we minimize the risk that the worst happens? Just how sensitive is the data? How confident are we that we can keep it safe? Deontological considerations will include taking care to respect the moral and legal right to privacy, as well as following ethical principles like data minimization (see below). Virtue ethics considerations will include asking ourselves what would a responsible company do given the circumstances.

The following are the most important ethical principles related to privacy and cybersecurity to ensure best practices.

Right to privacy. The right to privacy is generally considered a moral right. That is, for ethical reasons, we have a claim against others that, other things being equal, they do not access our personal data, whether the law in a particular country or historical moment recognizes that right or not. The right is also enshrined in constitutions around the world (thereby making it a legal right as well, in many countries), and in the Universal Declaration of Human Rights.

Data minimization. Data minimization is the most effective way to protect privacy: collecting only the data that is necessary to fulfill a specific purpose. Given that one is imposing a risk on data subjects when one collects their data, personal data should only be collected when the benefit to the data subjects outweighs the possible disadvantages.

Right to be forgotten. The right to be forgotten is a person’s right to have private information about them removed from Internet searches and other directories (thereby making it less accessible), when the data is somehow inadequate (e.g., incorrect), irrelevant or no longer relevant, or excessive in relation to the purposes for which it was processed.

Control over data. Giving people control over their data is another measure that can minimize potential abuses of data. This would involve making it easy for individuals to deny or withdraw consent for data collection and processing, to access their personal data (and the inferences that are made about them), transfer their personal data, and delete their personal data.

Contextual integrity. The use of personal data should adhere to contextual norms of privacy. When people give up their data in a particular context, they have certain expectations about how that data will be used. When we transfer the data to a different context, privacy norms are violated. For example, if a person gives personal data to a bank to carry out a transaction, that data should not be sold to a marketing company or used for another purpose. If a patient gives their data to their doctor for the purposes of receiving a diagnosis and treatment, that data should not end up in the hands of a data broker.

Data deletion. Personal data should be deleted as soon as it is not necessary. Routine data deletion is a way to protect individuals, and it is also a way to keep data accurate (personal data tends to change quite quickly; people change tastes, jobs, houses, cars, etc.). Personal data should not be collected with the intention of being kept forever. Having an expiry date is an element of good data-security practices.

Data security. Data security is part of complying with due diligence. It’s good practice to use all technical tools available to keep data safe, from strong encryption (and strong passwords) to thorough anonymization of data and use of cryptographic methods such as differential privacy. If an organization cannot keep data safe, it puts itself at risk by collecting personal data in the first place.

Governance Challenges

AI can be difficult and challenging to govern. Some of the difficulties typically considered include power asymmetries, lack of transparency, lack of interpretability, lack of AI ethics structures, lack of national regulation, lack of international regulation, unpredictability of how these systems might change or how people might interact with them, generative AI not being truth-tracking, and worries about privacy and copyright.

Power Asymmetries

Many of the tech companies that are at the cutting-edge of AI are often more powerful—in terms of wealth, influence, and expertise—than some national governments and regulatory agencies. These asymmetries can lead to challenges in terms of legislative and regulatory bodies effectively responding to potential risks posed by AI and its uses.

Lack of Transparency

Most AI systems have been developed by private companies that may not be subject to the same transparency requirements as public institutions or universities. As a result, the public, academics, journalists, policymakers, and regulatory agencies may have little detailed information about the practices that went into designing and training large language models, for example, from the datasets used to details about whether and how the systems were tested and tuned for safety.

One of the promises that resulted from the UK's AI Summit in November 2023 was the commitment on the part of a few companies —including OpenAI, Google DeepMind, and Anthropic— to give the UK government early access to their systems to be tested for safety. The details of this agreement are unknown. It is unclear whether the government will receive the source code, or what kind of access will be involved. Furthermore, the commitment is not legally binding.

Lack of Interpretability

Even with greater knowledge regarding the companies building AI, there is still a challenge related to the limited interpretability of these systems. Neural networks are sometimes called "black boxes" because often not even computer scientists can be sure of exactly how the model is doing what it's doing. One major reason for this lack of interpretability is that AI systems like large language models are trained using a method called backpropagation, which adjusts the weights of the neural network so as to minimize the error between the model's output and the desired output. Although this method can be effective at improving the model's performance, it does not provide any insight into how the model arrived at its decisions.

The use of proxies is a common technique used by AI systems to simplify the training process by representing complex or difficult-to-measure objectives with a simpler, easier-to-measure metric. For example, an AI system designed to generate news articles might use word count as a proxy for article quality, rather than trying to measure the quality of the content directly. By using proxies, AI systems can make progress toward a goal without needing to optimize directly for the goal itself, which can be a challenging and computationally expensive task. However, this approach can also introduce potential issues, such as optimizing for a goal that is not truly aligned with the system's overall objective, and if outside observers — be it academics or regulatory bodies — don't know what proxies the model is using, it is difficult to govern that model. Additionally, the sheer size and complexity of the models, with millions or even billions of parameters, make it difficult to trace back the processes behind the model's outputs. Different methods to audit the outputs of the systems are being developed to try to get around the difficulty of looking into the "black box."

Lack of AI Ethics Structures

If we compare AI ethics with medical ethics, the lack of structure seems evident. Medical ethics is supported by bioethicists, ethical codes, and ethics committees, among others. Every doctor must take a bioethics class and is a licensed professional. Every hospital adheres to international ethics codes. Every clinical research is overseen by an ethics committee; there is nothing similar when it comes to AI ethics.

Even though AI ethics is gradually becoming mainstream, a computer scientist can still go through an education without ever taking a course in AI ethics or being a licensed or certified professional. Although boards are increasingly worried about AI risks, it is still rare to see AI ethicists as board members.

Lack of National and International Regulation

At the time of writing, there are still not national laws regulating AI (with the exception of China). There are likewise no specialized agencies overseeing AI, and no government-mandated auditing of large language models or other kinds of AI. Just as regulatory agencies have arisen for other kinds of regulation (e.g., the FDA for food and drugs), the future may bring regulatory agencies that have the specialization needed to understand and govern AI. The European Union has taken the lead by establishing the European AI Office.

AI is an international technology, from its sources of data and talent to its implementation and use. It is therefore not unreasonable to expect some movement toward international regulation or agreed best practices.

Unpredictability Issues

One of the characteristics of some kinds of AI like neural networks is that they present emergent behavior and properties that were not explicitly coded into the system. These systems can therefore surprise human beings--laypeople and experts alike--not only in their capabilities, but also in the kind of mistakes that they make. AIs can also be surprising in the way people interact with them. It can be difficult to predict the uses and misuses to which they can be subject. One potential option to minimize the risk of unpredictability is to subject AIs to randomized controlled trials (RCTs) to test for their safety. Another option, complementary to RCTs, is to audit AIs periodically for safety and accuracy.

Lack of Truth-Tracking Abilities

One kind of AI that has become most popular, large language models (LLMs), are not based on an understanding of truth or a knowledge of the world. Rather, they make statistical inferences and probabilistic “guesses” to construct responses. Given the input and their training, they are designed to give plausible responses. But plausible responses are not necessarily truthful. Even when responses are false, they can still appear plausible and convincing. This can create risks including the creation of plausible misinformation, physical safety risks (e.g., LLMs giving incorrect medical advice), and libel and other speech-related risks. Speech is a contentious area of governance, but speech created by a machine that is in turn created by a company with data that is unclear whether it was acquired lawfully can make for a governance nightmare.

Privacy and Copyright

When companies scrape data off the internet, or collect data from their users, questions related to whether they have a claim to that data arise. There is the worry that the privacy of data subjects has been violated by collecting the personal data of millions of unsuspecting internet users. It is unclear, for example, whether LLMs can comply with Europe's General Data Protection Regulation, as European citizens are supposed to have a right to ask companies what data they have on them, to modify that data, and delete that data. It is far from clear that the companies that develop and sell access to these LLMs can comply with such data requests. Finally, there is the concern that copyright has been violated with LLMs ingesting material like books. At the time of writing there are various lawsuits in process related to these matters.

Regulatory Landscape

There is broad consensus that AI should be regulated, and the passage of AI-related laws in countries around the world bears this out. There is not, however, a commonly held view of what form such regulation should take. The remainder of this module takes a high-level look at the regulatory approaches and initiatives of three governmental players likely to have an impact on how AI models are developed and deployed worldwide: Europe, the U.S. and China.

The Relationship Between Ethics and the Law

Ethics is considered a complement to law and necessary to ground, inform, and shape law. Societies tend to regulate behavior according to what they deem morally acceptable. Ethics helps one distinguish between just and unjust laws. Laws, however, are narrow in scope; they typically establish minimal requirements of behavior for social institutions to function well. Ethics goes beyond that—it identifies moral issues, reflects on the kind of society we want to live in based on ideas of what a good life looks like, and makes recommendations accordingly. Ethics, therefore, can be considered more ambitious than the law.

Think of the kind of people with whom you like to surround yourself. Would you be content with them being law-abiding citizens, or would you also like to be around people who are honest, reliable, and loyal? It is not against the law to abandon your friends when they need you the most, but it is certainly immoral. Laws allow us to have orderly interactions with one another within a framework of basic fairness. Ethics allows us to strive toward ways of life that will be most conducive to our own and others’ wellbeing.

Even though AI ethics is gaining importance, there are some who feel that laws are also needed to govern AI. Some laws, like Europe’s General Data Protection Regulation, were not designed to legislate AI, but are relevant for the design and implementation of AI.

Europe

GDPR – General Data Protection Regulation

The European GDPR was implemented in May 2018. It is designed to regulate personal data. According to the GDPR, personal data is any information concerning an identified or identifiable person. Under the GDPR, data subjects have a right to receive concise and transparent information about their data; access their personal data upon request; request erasure of their personal data; and object to processing of personal data from marketing or other purposes unrelated to the service being offered. The latter objection, however, does not apply when there is a “legitimate interest” to carry out the service. What counts as a legitimate interest is the subject of much debate. Recent and upcoming rulings are gradually clarifying the matter.

The law also states that data controllers are under a legal obligation to notify within 72 hours the supervisory authority of any data breaches.

Part of what was significant about the GDPR is that it applies not only if the data controller (any organization collecting personal data) or processor (any organization processing data on behalf of a data controller) is located inside Europe, but also if it’s located outside the European Economic Area (EEA), if it offers a service to data subjects within the EEA. That extraterritorial jurisdiction has made the GDPR hugely effective across the world. It has made some international corporations improve their standards everywhere, because it is too complicated to have one system for European residents and a different one for the rest of the world. It also looks bad to have better standards for some users than others. The GDPR has also inspired some countries to come up with their own privacy legislation.

DMA – Digital Markets Act

The Digital Markets Act (DMA) is a landmark piece of legislation passed by the European Union in 2022 that aims to create a more fair and competitive digital marketspace. The DMA targets large online platforms with "gatekeeper" status, which are defined as companies that hold a dominant position in a market and have the ability to distort competition. Key provisions of the DMA include:

DSA – Digital Services Act

The Digital Services Act (DSA) is a regulation in EU law that aims to update the Electronic Commerce Directive 2000 regarding illegal content, transparent advertising, and disinformation. It was adopted by the European Parliament and the Council of the European Union in October 2022 and came into force in 2023.

The DSA applies to online intermediaries and platforms, including marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. It sets out obligations for these platforms to:

There are 19 companies currently beholden to the DSA’s rules, including TikTok, YouTube, Instagram, and X.

The EU AI Act

On March 13, 2024, the EU Parliament approved the Artificial Intelligence Act, commonly known as the EU AI Act, with an aim to establish a common regulatory and legal framework for AI. On May 21, 2024, the Council of the European Union approved the AI Act, which is the final stage in the legislative process.

The AI Act has been designed to ensure proportionate risk mitigation over a range of AI functions. For instance, a company offering an AI service to screen job applicants would have to take steps to prevent their systems from unduly hurting individuals’ access to opportunities. The regulation also imposes a legally binding requirement to notify people when they are interacting with a chatbot, biometric systems, or emotion recognition. Companies will also need to label deepfakes and content generated by AI, as well as design systems to make AI-generated media detectable.

Organizations like banks and insurance companies that offer essential services, and companies that deploy AI classified as high-risk, are obligated to do an impact assessment on how AI will affect people’s rights. Providers of high-risk AI must also keep thorough records of the datasets used, programming and training methodologies, and measures taken for oversight.

The following systems are expected to be prohibited with just six months for companies to ensure compliance:

Non-compliance can lead to substantial fines, ranging from €35 million or 7% of global turnover to €7.5 million or 1.5% of turnover, depending on the offense and company size. The AI Act established the European AI Office that is in charge of compliance, implementation, and enforcement. It is the first body in the world to enforce binding rules on AI. Much like the GDPR, this law has set new global standards. The AI Act became effective on August 1, 2024. A ban on AI systems with unacceptable risk has been in place since February 2, 2025, and a majority of the AI Act’s provisions will be enforced from August 2, 2026.

The United States

Privacy

The United States does not have a federal privacy law. However, it does have some laws that are relevant for privacy.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA was enacted in 1996 and protects the privacy and security of health information. It applies to health care providers, health plans, and other organizations that use or store electronic health information (EHI). HIPAA requires these organizations to implement safeguards to protect EHI from unauthorized access, use, disclosure, alteration, or destruction.

State-level Privacy Regulations

The United States has a patchwork of state privacy regulations that govern how businesses can collect, use, and share personal information about consumers. These regulations vary in scope and enforcement, but they are all designed to protect consumer privacy.

Cybersecurity

On May 12, 2021, President Biden issued an Executive Order (EO) on Improving the Nation's Cybersecurity. The EO is a comprehensive and ambitious plan to strengthen the cybersecurity of the United States against evolving threats.

Key provisions of the EO:

AI

The United States does not have any federal laws related to AI, however both the White House and several federal agencies have been actively working on the development of guidelines for the development, deployment and use of AI systems.

Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence

On Oct. 30, 2023, President Biden issued an EO on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. The order is a comprehensive plan to address the national security, economic, and ethical challenges posed by AI.

Key provisions of the EO:

National Institute of Standards and Technology (NIST)’s AI Risk Management Framework (AI RMF)

The NIST developed the AI RMF in 2023. This voluntary framework serves as a guide for organizations designing, developing, deploying, or using AI systems. Its overarching goal is to promote the responsible and trustworthy development of AI while mitigating potential harms.

The AI RMF focuses on four key functions: Govern, map, measure, and manage. Through these functions, organizations can build governance structures; identify and map AI risks; measure and assess those risks; and implement appropriate mitigation strategies. The framework emphasizes flexibility and adaptability, catering to organizations of various sizes and across different sectors. Its non-prescriptive approach allows customization based on specific AI use cases and risk profiles.

AI Safety and Security Board

Established by the U.S. Department of Homeland Security on April 26, 2024, the Artificial Intelligence Safety and Security Board (AISSB) advises the Secretary, the critical infrastructure community, other private sector stakeholders, and the broader public on the safe, secure, and responsible development and deployment of AI technology in our nation’s critical infrastructure. The AI Board will develop recommendations to help critical infrastructure stakeholders, such as transportation service providers, pipeline and power grid operators, and internet service providers, more responsibly leverage AI technologies. It will also develop recommendations to prevent and prepare for AI-related disruptions to critical services that impact national or economic security, public health, or safety.

China

China has been rapidly developing and implementing regulations related to AI, covering technology, cybersecurity, privacy, and intellectual property. One significant regulation is the Provisional Administrative Measures of Generative Artificial Intelligence Services (Generative AI Measures), which were published by the Cyberspace Administration of China (CAC) and have taken effect since Aug. 15, 2023. These measures apply to the use of generative AI technology to provide services for generating text, pictures, sounds, videos, and other content within the territory of China. They impose various obligations on generative AI service providers, including the prohibition of generating illegal content, taking measures to prevent the generation of discriminatory content, and not infringing on others' rights, including privacy rights and personal information rights.

China has enacted several comprehensive laws aimed at protecting personal information, like the Personal Information Protection Law (PIPL) and the Internet Information Service Algorithmic Recommendation Management Provisions. These regulations mandate data minimization, user consent, and transparency in algorithm decision-making.