At its core, consequentialism focuses on the outcomes or results of an action to determine whether it is right or wrong. The most common form is utilitarianism, which aims to maximize overall utility. Utility is often defined in terms of pleasure, happiness, or the satisfaction of desires. Under utilitarianism, the morally correct action in any situation is the one that produces the greatest net utility for all affected.
For example, designing or implementing a particular AI system would be considered morally good under utilitarianism if it increases the overall pleasure across society more than other actions one could take. Actions are not intrinsically moral, but derive their moral value solely from their results. Utilitarianism is forward-looking, circumstantially relative, and focused on end consequences. Two of the most famous proponents of this approach were Jeremy Bentham and John Stuart Mill.
A key advantage of consequentialism is that it provides a single, quantifiable metric for determining moral value. One shortcoming, however, is that the choice of metric is highly subjective, and quantification of value can be challenging. Utilitarian calculations aim to be impartial, objective, and amenable to scientific measurement of utility. However, consequences are often unpredictable, and it is unclear where the calculation should stop (i.e., should we consider only immediate consequences, or also the consequences of the consequences, and the consequences of those, etc.?).
Critics of utilitarianism and other forms of consequentialism argue that always maximizing utility can lead to actions that many consider immoral, like severely violating individual rights for the greater good. Utilitarianism struggles with situations in which utility is maximized by something most would consider unethical. The classic example is one in which a doctor has the chance to kill an unfriendly patient to use his organs and save five other patients. In the realm of AI, someone could justify implementing an AI system that violates rights with the justification of it being more efficient and therefore saving resources.
In response, some consequentialists grant moral weight to following general moral rules (as opposed to acts) that tend to maximize utility. Rule consequentialists judge acts by whether they adhere to utility-maximizing rules, not only by their case-specific outcomes. This workaround addresses some issues with utilitarianism by ensuring rules against murder, lying, and the like are upheld even when breaking them may increase utility in isolated cases. The doctor should not kill her patient because that would undermine trust in the medical system. We should not implement AI systems that violate rights because, in the long run, that would create more problems than it solves. Some theorists, however, believe that rule consequentialism collapses into deontology.
One of deontology’s most important proponents is Immanuel Kant. According to Kant, individuals have a moral obligation to act in a way that is universally applicable and treats others as ends in themselves, rather than only as means to an end. In other words, we shouldn’t treat people like things. People are ends in themselves, in that they have their own values and goals as a part of being autonomous.
The categorical imperative, a fundamental principle of Kantian ethics, asserts that one should act only according to maxims that could be willed as a universal law without contradiction, such as, “It’s wrong to lie.” Kant emphasizes the importance of moral principles, rationality, and a sense of duty in guiding ethical decision making, irrespective of the consequences.
Morality, in Kant's view, is grounded in reason and the intrinsic value of individuals, providing a principled foundation for ethical behavior. Kant is famous for not having placed moral weight on consequences. In his view, lying is always wrong, irrespective of potential consequences.
Most contemporary deontologists care about consequences and grant them moral weight. For a deontologist, however, consequences are not the only moral consideration worth taking into account and, for most deontologists, there will be red lines that should not be crossed even when it seems like the consequences might be beneficial overall.
Rights, rules, and ethical principles are all deontological in nature. They provide ethical guidance of what to do and what not to do that goes beyond consequences.
The key question in virtue ethics is, "What kind of person should I be?" Rather than focusing on universal duties or maximizing utility, virtue ethicists ask what character traits we should cultivate to live well. These virtues include wisdom, courage, humanity, justice, temperance, and generosity. Acting virtuously means exercising practical wisdom to moderate our emotions, appetites, and behavior appropriately in each situation.
Virtue ethicists believe we should aspire to ideals of human excellence. Virtues are nurtured through practice, habit, and modeling virtuous exemplars. One way to approach ethical dilemmas from a virtue ethics point of view is to ask what a virtuous agent would do in a particular situation; the agent can be thought of in the abstract or as a concrete example (e.g., What would Jesus, Mohammed, Solomon, Gandhi, etc. do in this circumstance?). Virtue ethics sees morality as a matter of character built over a lifetime, not just discrete acts.
Critics argue virtue ethics lacks clear guidance for moral decisions compared to duty-based or consequentialist approaches. Because different virtues can conflict, how to weigh them is unclear. Virtue ethicists counter that practical wisdom helps navigate hard cases, and that they are in no disadvantage with respect to other theories; moral duties can also conflict, and consequences are not always comparable. Virtue ethics also integrates well with common morality, given that most people seem to learn about morality through habituation in the context of socialization (e.g., parents teaching us over and over how to behave kindly toward others).
Modern developments in virtue ethics expand its scope beyond individual character. For organizations and societies, virtues might include justice, accountability, environmental stewardship, and responsible innovation. Virtue ethics is seeing renewed interest across disciplines like moral psychology and business ethics. In the context of AI, some scholars have suggested that to build AI that is ethical, we must build it in a virtue ethics way, which would imply it learning from experience and habit, like children do. Otherwise, morality is so complex that we might never be able to code it in a top-down approach.
As mentioned before, consequentialism, deontology, and virtue ethics are not mutually exclusive, and in the context of practical ethics, they complement one another. The best kind of moral decision is one that accords with all three theories, that is, an act that maximizes good consequences, respects rights, complies with ethical principles, and embodies virtues.
Ethical concerns have a long history in the field of medicine, given its direct involvement in matters of life and death. The Hippocratic Oath, thought to have been first written in Greece between the fifth and third centuries BCE, emphasizes the importance of physicians doing no harm to patients. Since that time, there have been various attempts at formalizing a code of medical ethics and exploring issues related to medical ethics.
The American Medical Association adopted its first code of ethics in 1847, drawing on earlier work done in the UK. There was an acceleration of, and an increased attention to issues surrounding medical ethics in the 20th century, which saw the creation of several important documents, including the Nuremberg Code (1947), the Declaration of Geneva (1948), the Declaration of Helsinki (1964), and the Belmont Report (1978). Medical ethics became more fully evolved in the 1970s, driven by factors including the increased concentration of medical care in hospitals and other depersonalized settings, the rising cost of medical care and increased role of government in health insurance funding, the development of “patients’ rights” as an outgrowth of broader efforts around civil rights, public outrage at medical scandals such as the Tuskegee Syphilis Experiment, and rapid advances in technology.
Technological advances posed new ethical challenges for doctors that needed solutions. The advent of the mechanical ventilator, for instance, prompted a reconsideration of the concept of death and led to the development of ethics surrounding organ transplantation. Physicians were now confronted with the dilemma of warm, heart-beating bodies with non-functioning brains, who presented an opportunity for organ procurement for transplantation. Whether to take the organs of these bodies is a moral question, not a medical one.
Practical needs, therefore, were an impetus behind the establishment of ethical frameworks, emphasizing that the responsibility of resolving ethical dilemmas should not rest solely on healthcare professionals, whose expertise lies in maintaining health rather than navigating ethical complexities.
In a manner not wholly dissimilar to that of the medical field in the 1970s, AI and other digital technology companies have found themselves to be central figures in significant controversies in recent years. As people have become concerned about the potential impact of digital practices on their lives, demand for ethical standards has grown.
Furthermore, with rapid advances in technology related to the collection, analysis, and utilization of personal data, along with the design of new applications, platforms, and tools such as autonomous cars, novel ethical dilemmas have arisen. Engineers, programmers, data analysts, risk managers, CIOs, CEOs, and Boards find themselves faced with new challenges that their training and experience may not fully equip them to face.
Nonmaleficence does not prohibit all types of harm unconditionally. Some level of risk is permissible if it enables benefits that justify that risk, or if no alternatives are available. For instance, medical procedures (and clinical trials) inherently incur some risk but may still be justified by their necessity and benefits.
Importantly, it matters who is making the decision, and who will bear the brunt of the harm if things go badly. It is more ethically acceptable to impose risks on people who stand to benefit from whatever the proposed action is. For example, very risky clinical research may be morally acceptable if the research subjects suffer from a sufficiently serious ailment and stand to benefit from the research if it goes well. The same risky research may very well be considered morally unacceptable on healthy research subjects, or on research subjects who have an ailment that does not stand to be cured by the research. An analogous situation in AI would be considering it unacceptable for people who are at no risk of harm to impose algorithmic risks on people who do not stand to gain from those risks.
A common misunderstanding is that beneficence is solely an outcome-focused, consequentialist concept. However, duty-based deontological frameworks include beneficence as an obligation we must fulfill above and beyond what may maximize utility.
There are limits to the duty of beneficence, however. No one individual can alleviate all suffering in the world, so reasonable constraints apply. Considerations like scarce resources, competing obligations, reasonableness, and demandingness (i.e., there’s only so much ethics can demand of individuals) should factor into determining the extent of our duty of beneficence. Additionally, the recipient's right to autonomy may preclude unwanted "benefits" that disrespect personal agency and choice. People have a right to decide what is best for them, and with some exceptions (e.g., public health worries, or worries about whether a person is autonomous), that right usually trumps unwanted offers of beneficence. Nonetheless, within these bounds, actively pursuing the welfare and legitimate interests of others remains a key deontological duty.
In the context of AI, one way to think about beneficence is a duty that AI systems benefit humanity in some way. At a minimum, an AI system should offer solutions to problems, and be designed to improve the lives of those who interact with it.
There are different concepts of justice. Procedural justice demands fair processes and impartiality. Distributive justice focuses on equitable allocation of benefits and burdens in society. Restorative justice aims to repair harms through reconciling victims and offenders. Interactional justice concerns respect and fairness between individuals. Social justice refers to just institutions in society that provide for basic rights and needs.
Justice is concerned with ensuring human rights are respected, resources are distributed equitably, opportunities are available to all, the law is applied impartially, and no one is discriminated against unfairly. Violations of justice may lead to human rights abuses, discrimination, corruption, inequality, and exploitation of vulnerable groups.
However, there are debates around what constitutes a just distribution of goods or a fair process. Different principles of justice - like egalitarianism, utilitarianism, meritocracy, or need-based allocation - can conflict. There are also disagreements around what goods justice should be concerned with distributing, like resources, opportunities, power, or welfare.
Despite these debates, there is broad agreement that justice is a vital moral principle and remains a cornerstone of ethics. To enjoy legitimacy, moral decisions must be justifiable to all and align with what is fair. Another point on which there is broad agreement is that, as a matter of justice, people should not be discriminated against for characteristics that are morally irrelevant (e.g., race).
In cases in which autonomy may be constrained because a person lacks the capacity to make rational decisions (i.e., children, unconscious patients, and patients who lack certain crucial cognitive abilities), a surrogate decision maker, such as a family member or a legal guardian, may need to act in the individual's best interests.
Autonomy has roots in humanistic and existentialist traditions. It depends on capacities for self-awareness, independent decision making, critical reflection, and personal freedom. Infringing on someone's autonomy contravenes her right to direct her own life.
In healthcare, respect for autonomy is crucial. Patients have a right to voluntary informed consent and refusal regarding their treatment. The doctor’s duty is to inform the patient appropriately, and it is up to the patient to decide what, if any treatment to pursue. Coercion, deception, manipulation, and undue influence all undermine autonomy.
An ethical AI system respects people’s autonomy by not using coercive or manipulative tactics to get people to act in a particular way. Technology should help people further their own life goals, as opposed to trying to further the goals of third parties (e.g., companies, governments, etc.).
One reason explainability is thought to be important is for the purposes of accountability. Decisions made by AIs (particularly in areas like healthcare, finance, and criminal justice) can have a profound impact on individuals' lives. Ensuring that AI systems can explain their decisions is essential for being able to hold accountable the companies and people that design and implement them. It can also help identify and rectify errors, biases, or unfair practices.
Explainability is also thought to further trust. Trust is a fundamental component of the adoption and acceptance of AI technologies. If users or stakeholders cannot understand how a system reaches its conclusions, they are less likely to trust it. Explainability fosters trust by making AI systems more transparent and predictable.
Without the ability to explain why an AI system made a particular decision, it becomes harder to ensure that it adheres to ethical guidelines and respects individual rights.
There are various levels and types of explainability in AI:
Local explainability focuses on explaining the decisions of a specific AI model on a single instance or prediction. Local explanations provide insights into why a particular decision was made for a particular case.
Global explainability looks at an AI model’s overall behavior and decision-making processes. It provides a more comprehensive understanding of how the model operates across various inputs.
Model-specific explainability refers to the fact that some AI models have specific explainability techniques tailored to their architecture. For example, decision trees have intuitive rules for explaining their decisions, whereas deep neural networks may require different methods. In contrast, model-agnostic methods are designed to work with any AI model, making them more versatile. They don't rely on the specific architecture or algorithms used in the model.
There is considerable debate about what exactly counts as an explanation and to whom an explanation is owed. The former partially depends on the latter because the explanations intended for experts will likely differ from the kinds of explanations that are intended for regulators or ordinary citizens.
What counts as a good explanation will likely vary depending on the kind of AI, but one popular approach is to develop counterfactual explanations. Consider a case in which an algorithm decides whether to grant loans. A counterfactual explanation might involve presenting a hypothetical scenario that contrasts with the actual decision. For instance, suppose the AI denies a loan to an individual based on certain criteria, such as having too little money in the bank, or earning too low a salary. A counterfactual explanation could be constructed by presenting an alternative scenario, stating the conditions under which the loan would have been approved (e.g., having $10,000 more in the bank, or earning $1,000 more per month as a salary). This counterfactual scenario helps the individuals understand the specific factors that led to the denial and provides actionable insights, such as increasing their salary or their bank savings. Counterfactual explanations contribute to transparency and help users comprehend the influence of different variables on AI decisions.
A well-designed AI should align with its stated purpose, optimizing performance according to established standards. The aim is not to achieve an entirely “objective” algorithm, as every algorithm inherently reflects values embedded in its design. These values are shaped by the perspective that certain aspects are deemed valuable or important, as the algorithm strives to excel based on specific metrics. For instance, an algorithm assessing loan eligibility may prioritize a person's bank account balance, considering it relevant to optimizing loan repayment.
Not all biases are inherently problematic from an ethical standpoint. Justifiable biases can form part of a well-designed AI. Conversely, not all AIs that are statistically or legally unbiased are necessarily ethically acceptable. Even statistically unbiased algorithms can inflict unwarranted harm, such as implementing a service that charges exorbitant fees to everyone. The ethical concern when it comes to AI bias arises when biases result in unfairness, disadvantaging individuals for unjustifiable reasons in comparison to others.
Consider a theoretical dataset containing all relevant data for all the loans that have ever been made. That data would likely show that successful loans (i.e., loans that have been repaid in the agreed-upon time frame) have mostly been given to men, as women have been excluded from active participation in the banking system until relatively recently. If an algorithm used that full historical data set as input, it would likely favor men, even if there is no valid reason for such a preference. Likewise, a dataset that spanned the pre-pandemic years 2010-2019 that was used to help predict office vacancy rates and commuter rail volume for 2025-2030 may lead to inaccurate predictions because the patterns that existed in 2010-2019 may be significantly different from those in 2025-2030.
A different but related data challenge is that historical data rarely show counterfactual outcomes. This problem is called the selective labels problem. For example, a company probably doesn’t track the career progression of those it didn’t hire; therefore, it will never know whether it indeed hired the best candidate. A bank has data on the people to whom it gave loans, but it doesn’t have data on the people to whom it denied loans. The people who were denied loans might’ve become even better clients than those to whom it gave loans, but because it doesn’t have that data, it will continue to select people who are like those to whom it has granted loans in the past.
Another related but distinct kind of bias stemming from data is sampling bias. It is a bias that is well known in science. Sampling bias arises when the data sample is not random. If the data sampled are not random, the trends shown by the population under study may not generalize to another population. Let’s suppose that most of our data comes from young men. And let’s suppose that an AI finds that a particular drug at a certain dose is effective in treating pain. Even if that correlation were not spurious, it may not generalize to other groups such as women or the elderly.
A significant challenge to ensuring fairness in AI algorithms relates to the mathematical impossibility of automating fairness when base rates are unequal. As cited previously, when base rates between populations are different, which is almost always the case, then it is impossible to satisfy demographic parity, predictive rate parity, and equal opportunity simultaneously. For instance, consider a scenario in which a majority of individuals who engage in certain criminal activities are men, and an AI is evaluating the risk of a specific man and woman committing a crime. If the AI assigns a higher risk score to the man, he may argue that he is being treated unfairly. Conversely, if the AI assigns a similar score to the woman, she may argue unfair treatment, given that women statistically exhibit a lower likelihood of committing those crimes. Automating fairness becomes feasible only when base rates are equal, which is seldom the case in reality. Fairness can ultimately be considered a moral or ethical judgment, not a mathematical one, and it can involve making imperfect compromises and trade-offs that might need to change in response to changing circumstances.
Fairness is not only about outcome, but about procedure. Procedural fairness provides reassurances, not only that a fair outcome will be sought, but that it will be sought through impartial and just processes. Take the justice system as an analogy. Procedural fairness involves having the right structures in place to have rule of law. Outcome fairness involves making sure guilty people receive an appropriate punishment and innocent people go free. Sometimes there are mistakes (e.g., innocent people can end up in jail and guilty people can be set free), but when there is a fair process in place, those mistakes can be justifiable (e.g., the evidence suggests guilt or innocence) and there are ways to right some wrongs (e.g., if new exculpatory evidence emerges, convicted individuals can be granted new trials and possibly be released and seek redress for an unfair outcome). In the context of AI ethics, the challenge is to create corporate structures that can carry out both procedural and outcome fairness. For instance, having an ethics committee that can weigh consequentialist, deontological, and virtue ethics considerations to develop and implement best practices can help achieve both outcome and procedural fairness.
What is most important is to be aware of trade-offs and to make decisions that are justifiable to the population at large, the stockholders, the stakeholders, regulators, and those who lose out. Consequentialist considerations to be considered in the self-driving car example would include calculating the potential risk of accidents using different versions of the AI. Deontological considerations would include taking care that an AI doesn’t disfavor people within protected categories (e.g., it could be that the self-driving car AI is better at identifying men because they tend to be larger), or include safety minimums below which we would not be willing to make compromises. Virtue ethics considerations would include putting in place processes for ethical decision making that would result in responsible professionals and a responsible company.
Among the tools that can help companies avoid problematic algorithmic biases are the following:
Technological solutions. Some toolkits are being developed to assess the amount of fairness in a system. Companies can create their own internal “auditing” systems to identify potential biases that their AIs display. Companies acquiring AIs from third parties can demand bias reports from providers (or, possibly even better, from independent assessors) to be aware of how the AIs they are using behave.
Although some technological tools can be helpful in identifying and avoiding bias, technology rarely solves bias problems on its own. This is partly because of the difficulty in automating fairness. If fairness cannot be automated, then algorithmic auditing for fairness cannot be automated either, and AI cannot solve the fairness problems that it creates.
Data quality. Ensuring that data is diverse, updated, accurate, representative, and free from past discriminatory tendencies goes a long way toward avoiding biases, but again, is not a panacea on its own. In some cases, it is possible to use synthetic data (fabricated datasets). The advantages of synthetic data include that it doesn’t entail privacy risks, given that the data does not come from real data subjects; synthetic data can also be more easily rid of problematic biases by design. The disadvantage is that sometimes synthetic data isn’t as precise as real data (especially when it comes to visual data), and that it might differ from real data in ways that are not obvious.
Auditing. Algorithmic auditing is likely the best way to identify and correct biases. There are private companies that offer this service. Auditing will include using technological tools and statistical analyses, but also a fresh and diverse look at your systems.
Ethical committees or similar structures. Instituting forums in which possible problematic biases can be discussed, and in which decisions about trade-offs can be made considering consequentialist, deontological, and virtue ethics considerations can help ensure procedural fairness and can contribute to outcome fairness.
Training for board and C-suite. Given the wide range of risks to which a firm might be exposed if AI models are designed and implemented in a manner that is not responsible or ethical, firm leadership should be educated as to the risks associated with AI and the importance of ethical/responsible AI practices to help mitigate those risks.
Data security is doing what is necessary to prevent unauthorized access to data. Data security includes protecting data from attacks such as ransomware, which can encrypt or destroy data, as well as from theft, and from attacks that can corrupt data. It covers the physical security of hardware and storage devices, administrative and access controls, organizational policies and procedures (including employee training), and software applications.
Privacy losses can harm citizens in a variety of ways. Individuals can suffer discrimination, blackmail, exposure and public shaming, identity theft, and the like. Privacy losses are also a potential liability to institutions. Every personal data point is a potential lawsuit, a potential fine. Finally, privacy losses can result in harm to society. The extent of personal data collection, for example, has made it relatively easy for anyone (including foreign adversaries) to learn of sensitive information about military personnel or politicians and blackmail them, which can endanger national security and democracy in various ways.
The more personal data is collected, the longer it is stored, and the more it is analyzed and shared, the higher the risk of harm down the line. Personal data suffers from the very dangerous combination of being cheap to mine, very valuable, very sensitive and prone to being abused, and very hard to keep safe.
In cyberspace, defenders are at a disadvantage with respect to attackers. Whereas the attacker can choose the moment and method of attack, defenders must always protect themselves against every type of attack. If there’s an attacker with enough resources and motivation, it’s a matter of time before they get to the data they want. Arguably, the imposition of a risk amounts to a wrong (e.g., someone trying to kill you imposes an unjustifiable risk on you, and therefore a wrong, even if they fail).
Companies that collect more personal data than is needed are creating their own risk. One way to think about it is that personal data is a toxic, albeit potentially highly valuable asset. It might be cheap, easy to mine, and profitable, but it also exposes the company to risk of hacks, leaks, lawsuits, and more. Personal data can also be expensive to manage; given its sensitivity, it needs expensive infrastructure as well as legal teams to ensure compliance. Companies, therefore, have an incentive to consider the risks and rewards related to the collection, storage, and use of personal data when they design products and services.
The following are the most important ethical principles related to privacy and cybersecurity to ensure best practices.
Right to privacy. The right to privacy is generally considered a moral right. That is, for ethical reasons, we have a claim against others that, other things being equal, they do not access our personal data, whether the law in a particular country or historical moment recognizes that right or not. The right is also enshrined in constitutions around the world (thereby making it a legal right as well, in many countries), and in the Universal Declaration of Human Rights.
Data minimization. Data minimization is the most effective way to protect privacy: collecting only the data that is necessary to fulfill a specific purpose. Given that one is imposing a risk on data subjects when one collects their data, personal data should only be collected when the benefit to the data subjects outweighs the possible disadvantages.
Right to be forgotten. The right to be forgotten is a person’s right to have private information about them removed from Internet searches and other directories (thereby making it less accessible), when the data is somehow inadequate (e.g., incorrect), irrelevant or no longer relevant, or excessive in relation to the purposes for which it was processed.
Control over data. Giving people control over their data is another measure that can minimize potential abuses of data. This would involve making it easy for individuals to deny or withdraw consent for data collection and processing, to access their personal data (and the inferences that are made about them), transfer their personal data, and delete their personal data.
Contextual integrity. The use of personal data should adhere to contextual norms of privacy. When people give up their data in a particular context, they have certain expectations about how that data will be used. When we transfer the data to a different context, privacy norms are violated. For example, if a person gives personal data to a bank to carry out a transaction, that data should not be sold to a marketing company or used for another purpose. If a patient gives their data to their doctor for the purposes of receiving a diagnosis and treatment, that data should not end up in the hands of a data broker.
Data deletion. Personal data should be deleted as soon as it is not necessary. Routine data deletion is a way to protect individuals, and it is also a way to keep data accurate (personal data tends to change quite quickly; people change tastes, jobs, houses, cars, etc.). Personal data should not be collected with the intention of being kept forever. Having an expiry date is an element of good data-security practices.
Data security. Data security is part of complying with due diligence. It’s good practice to use all technical tools available to keep data safe, from strong encryption (and strong passwords) to thorough anonymization of data and use of cryptographic methods such as differential privacy. If an organization cannot keep data safe, it puts itself at risk by collecting personal data in the first place.
One of the promises that resulted from the UK's AI Summit in November 2023 was the commitment on the part of a few companies —including OpenAI, Google DeepMind, and Anthropic— to give the UK government early access to their systems to be tested for safety. The details of this agreement are unknown. It is unclear whether the government will receive the source code, or what kind of access will be involved. Furthermore, the commitment is not legally binding.
The use of proxies is a common technique used by AI systems to simplify the training process by representing complex or difficult-to-measure objectives with a simpler, easier-to-measure metric. For example, an AI system designed to generate news articles might use word count as a proxy for article quality, rather than trying to measure the quality of the content directly. By using proxies, AI systems can make progress toward a goal without needing to optimize directly for the goal itself, which can be a challenging and computationally expensive task. However, this approach can also introduce potential issues, such as optimizing for a goal that is not truly aligned with the system's overall objective, and if outside observers — be it academics or regulatory bodies — don't know what proxies the model is using, it is difficult to govern that model. Additionally, the sheer size and complexity of the models, with millions or even billions of parameters, make it difficult to trace back the processes behind the model's outputs. Different methods to audit the outputs of the systems are being developed to try to get around the difficulty of looking into the "black box."
Even though AI ethics is gradually becoming mainstream, a computer scientist can still go through an education without ever taking a course in AI ethics or being a licensed or certified professional. Although boards are increasingly worried about AI risks, it is still rare to see AI ethicists as board members.
AI is an international technology, from its sources of data and talent to its implementation and use. It is therefore not unreasonable to expect some movement toward international regulation or agreed best practices.
Think of the kind of people with whom you like to surround yourself. Would you be content with them being law-abiding citizens, or would you also like to be around people who are honest, reliable, and loyal? It is not against the law to abandon your friends when they need you the most, but it is certainly immoral. Laws allow us to have orderly interactions with one another within a framework of basic fairness. Ethics allows us to strive toward ways of life that will be most conducive to our own and others’ wellbeing.
Even though AI ethics is gaining importance, there are some who feel that laws are also needed to govern AI. Some laws, like Europe’s General Data Protection Regulation, were not designed to legislate AI, but are relevant for the design and implementation of AI.
The law also states that data controllers are under a legal obligation to notify within 72 hours the supervisory authority of any data breaches.
Part of what was significant about the GDPR is that it applies not only if the data controller (any organization collecting personal data) or processor (any organization processing data on behalf of a data controller) is located inside Europe, but also if it’s located outside the European Economic Area (EEA), if it offers a service to data subjects within the EEA. That extraterritorial jurisdiction has made the GDPR hugely effective across the world. It has made some international corporations improve their standards everywhere, because it is too complicated to have one system for European residents and a different one for the rest of the world. It also looks bad to have better standards for some users than others. The GDPR has also inspired some countries to come up with their own privacy legislation.
The DSA applies to online intermediaries and platforms, including marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. It sets out obligations for these platforms to:
There are 19 companies currently beholden to the DSA’s rules, including TikTok, YouTube, Instagram, and X.
The AI Act has been designed to ensure proportionate risk mitigation over a range of AI functions. For instance, a company offering an AI service to screen job applicants would have to take steps to prevent their systems from unduly hurting individuals’ access to opportunities. The regulation also imposes a legally binding requirement to notify people when they are interacting with a chatbot, biometric systems, or emotion recognition. Companies will also need to label deepfakes and content generated by AI, as well as design systems to make AI-generated media detectable.
Organizations like banks and insurance companies that offer essential services, and companies that deploy AI classified as high-risk, are obligated to do an impact assessment on how AI will affect people’s rights. Providers of high-risk AI must also keep thorough records of the datasets used, programming and training methodologies, and measures taken for oversight.
The following systems are expected to be prohibited with just six months for companies to ensure compliance:
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was enacted in 1996 and protects the privacy and security of health information. It applies to health care providers, health plans, and other organizations that use or store electronic health information (EHI). HIPAA requires these organizations to implement safeguards to protect EHI from unauthorized access, use, disclosure, alteration, or destruction.
State-level Privacy Regulations
The United States has a patchwork of state privacy regulations that govern how businesses can collect, use, and share personal information about consumers. These regulations vary in scope and enforcement, but they are all designed to protect consumer privacy.
Key provisions of the EO:
Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
On Oct. 30, 2023, President Biden issued an EO on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. The order is a comprehensive plan to address the national security, economic, and ethical challenges posed by AI.
Key provisions of the EO:
National Institute of Standards and Technology (NIST)’s AI Risk Management Framework (AI RMF)
The NIST developed the AI RMF in 2023. This voluntary framework serves as a guide for organizations designing, developing, deploying, or using AI systems. Its overarching goal is to promote the responsible and trustworthy development of AI while mitigating potential harms.
The AI RMF focuses on four key functions: Govern, map, measure, and manage. Through these functions, organizations can build governance structures; identify and map AI risks; measure and assess those risks; and implement appropriate mitigation strategies. The framework emphasizes flexibility and adaptability, catering to organizations of various sizes and across different sectors. Its non-prescriptive approach allows customization based on specific AI use cases and risk profiles.
Established by the U.S. Department of Homeland Security on April 26, 2024, the Artificial Intelligence Safety and Security Board (AISSB) advises the Secretary, the critical infrastructure community, other private sector stakeholders, and the broader public on the safe, secure, and responsible development and deployment of AI technology in our nation’s critical infrastructure. The AI Board will develop recommendations to help critical infrastructure stakeholders, such as transportation service providers, pipeline and power grid operators, and internet service providers, more responsibly leverage AI technologies. It will also develop recommendations to prevent and prepare for AI-related disruptions to critical services that impact national or economic security, public health, or safety.
China has enacted several comprehensive laws aimed at protecting personal information, like the Personal Information Protection Law (PIPL) and the Internet Information Service Algorithmic Recommendation Management Provisions. These regulations mandate data minimization, user consent, and transparency in algorithm decision-making.