Responsible AI: Regulatory Trends and Governance Challenges

Transcription

David Stearns:
Welcome to BSR Insights, a series of conversations on emerging and cross-cutting business, economic, and social issues. Drawing on BSR's expertise for more than three decades of leadership in sustainable business, we'll help practitioners and decision makers to navigate today's increasingly complex world. I'm your host, David Stearns.

Thank you for joining us. In our last episode, we introduced the topic of what responsible artificial intelligence looks like in practice. We discussed definitions—what do we mean when we talk about responsible AI—and what are the fundamental elements for achieving it? We discussed best practices for companies, both the tech industry developers and the deployers in pretty much every other sector, and the role of sustainability teams in ensuring the responsible use of AI across both environmental and societal considerations.

Today, we'll be turning our focus to the geopolitical and regulatory trends which companies are navigating as they accelerate their development, procurement, and deployment of AI tools and products. Governments are taking divergent approaches to AI regulation, from the EU which has advanced comprehensive legislation through the AI Act, though not without pushback, to the U.S. which has emphasized innovation and limited state level regulation. Other governments are pursuing sector-specific rules or voluntary risk management frameworks.

To help us understand this rapidly evolving landscape, I'm pleased to be joined by two experts in the field. From Brussels, we're joined by Will Manley, Head of Digital Regulation for leading international law firm, Slaughter and May. Will has broad experience advising digital tech and corporate clients on high value matters across digital and AI regulation, antitrust, and other regulatory areas. Thank you for joining us, Will.

Will Manley:
Pleasure to be here.

David Stearns:
We're also joined from London by Richard Wingfield, BSR Director, who leads BSR's Responsible Tech practice, where he works with companies that develop and use technology to build human rights and environmental considerations and practices into their products, services, and policies. Welcome, Richard.

Richard Wingfield:
Great to be here, David.

David Stearns:
It's great to be chatting with you both today. I'm going to start with you, Richard, just from a broad perspective. AI is increasingly a hot political and geopolitical topic around the world. What are you seeing on this front and what does it mean for how governments are regulating artificial intelligence?

Richard Wingfield:
Thanks, David. Well, it's hard to take a look at the newspapers or look at the news online without coming across some issue relating to AI pretty regularly at this point. It's one of the biggest topics that governments are looking at at the moment—not just governments, but international organizations as well. But it's a particularly strategic technology, and so, we are seeing governments around the world look at it through a strategic lens, as well as just as a technology that requires regulation.

I think it goes without saying that there is a battle amongst many governments around the world to be the leading country when it comes to AI developments. That battle is primarily between the U.S. and China, but we've seen other governments as well want to take advantage of the benefits of AI, while also making sure that risk is managed. That said, we have seen divergent approaches amongst different governments, and you hinted at some of those in your introduction.

The European Union is by far and away the regulatory authority or the jurisdiction where we've seen the most advanced legislation come forward. I think, at the moment, it is still the only part of the world where we have seen comprehensive regulation of AI in the form of the Artificial Intelligence Act. That is largely to try and manage many of the risks to people that come with the development of the technology itself.

For example, it designates a number of types of AI as high-risk AI systems that will be required to undergo certain standards, testing, and risk assessments before they can be released. It actually also prohibits a number of particular AI systems that are deemed to be unacceptable in the level of risk that they pose. You can contrast the approach of the European Union with that of the United States, which is perhaps on the other end of the spectrum, where particularly at the federal level there's been a real resistance in terms of regulation or anything that might slow down innovation or development of the technology. There is a bit of nuance there at the state level. There are some states that want to introduce some regulation, but certainly at the federal level, real resistance.

Then across other parts of the world, you have approaches in between those two. You might have sectoral regulation where you have rules around, let's say, AI in the case of the financial services sector or in the healthcare sector. You might have the encouragement of voluntary standards or guidance about managing risk when it comes to AI, but without regulatory enforcement. A lot of these reflect governments’ domestic priorities when it comes to AI, but a lot of it is around the battle between innovation and risk management, and where governments fall on that spectrum. That divergence is certainly continuing at the moment. We're not seeing a harmonized or a standardized approach to AI regulation, and I don't think we will anytime soon.

David Stearns:
Thanks, Richard. Will, Richard's given us a great overview of some of the regional differentiation in terms of regulations. From a legal perspective, can you give us a better sense of the current state of play when it comes to AI regulations and how the different regulations are varying across the world?

Will Manley:
Sure. Richard's summary was excellent, but I do want to focus a little bit on the nuance because what I see is largely driven by an increasing awareness of voter concerns, a little bit more commonality building around some AI issues than I think you might think of at first glance. I like to think of AI regulation on a spectrum between broad and narrow—either you go very broad, like the EU has done with the trade-offs that it implies in terms of potentially slowing innovation, or you go super narrow or, indeed, non-existent in the case of the federal administration in the U.S. I think we will get to somewhere vaguely in the middle and I think you can see the start of that process already.

Richard's dead right. At the broadest level, we have the EU AI Act. At the narrowest level, you have the federal administration in the U.S. But at the state level, I think already in places like California, Colorado, Texas, and other states, you see state laws which actually are quite similar in some respects to the EU AI Act and the rules that they're bringing forward. So you see some common themes emerging. There's a concern about transparency when users are interacting with AI, including in the context of deepfakes, which is a broadly held concern. You see the idea of some risk management rules developing around higher-risk AI systems, which is a key feature of the AI Act.

Then you see some use cases that are proving to be more sensitive than others. Recruitment seems to be a big focus in Europe and in some U.S. states, including New York. We’re starting to see some coalescence around a body of rules that will attach to particularly concerning areas of AI that I'm seeing in Europe and the U.S., and to an extent, the UK. I think the UK, in fact, is proving to be one of the lightest regulated AI environments because the government is acutely conscious of protecting virtually the only sector that holds out any promise of growth in the UK. That's quite interesting to see.

I think what you also see is what I call moment-by-moment legislation, which is governments responding very rapidly to a recent AI event or development that suddenly seems concerning. You saw this with the Grok issues and the hideous capabilities of that chatbot, which provoked an immediate legislative response in Europe and the UK. And more recently, you've seen it with Anthropic's Mythos model, which is triggering a lot of concern among financial regulators and cyber regulators. Alongside the bigger debate of what does the broader rule book look like, I think we'll see this constant moment-by-moment legislation as new AI events trigger concern in particular sectors or around particular issues.

David Stearns:
Thank you for that. Many of our listeners are from companies that are having to navigate these divergent approaches including, as you mentioned, things that are just popping up that we can't necessarily anticipate. Richard, can you talk a little bit about the challenges that all of that is creating for companies, and how they can prepare themselves for this?

Richard Wingfield:
Absolutely. There are some parallels when it comes to AI regulation from other forms of tech or digital regulation, or regulation that particularly affects technology, that we can look to. A couple of examples would be data protection regulation, where you've seen companies that collect and process data have to comply with, in some cases, dozens of different kinds of data protection rules because most countries in the world have some data protection regulation now. Another example would be online safety, or online platform regulation, where you have quite demanding regulation in places like Australia, the European Union, and the UK, and then minimal regulation in other parts of the world. So this is not a new challenge for companies—the idea of regulatory divergence.

What I think the challenge for many companies will be is determining what their response is, because there are quite a few different ways that you could manage those divergent approaches. You could take a very narrow approach, where you go for minimal compliance in each country so your AI products and services meet the requirements in that particular jurisdiction, but you may then release different versions of AI systems in different parts of the world, depending on what those requirements are. You might see another approach being taken, and this is what we saw many companies do in response to data protection rules, is you take the most demanding regulation that's out there, which in a lot of cases is the EU's GDPR, and you apply that as your universal standard. So you basically apply the GDPR to data anywhere in the world, even if it's not subject to that requirement, simply because it means that you have a single internal data protection standard that you are complying with.

We've seen different companies apply different approaches when it comes to different kinds of tech regulation. I think the temptation for many AI companies will be the former, at the moment, because there are large markets around the world, particularly in the US, that don't have those kinds of rules. And so, you might see a situation where you have a universal type of AI system, and then a slightly different one just in the European Union market which follows those particular local requirements. That, I think, is where companies are going at the moment.

But if you then look at what that means internally, and perhaps we'll come onto this a little bit later in the discussion, you don't really want to have multiple different internal processes for what your AI governance looks like depending on the particular jurisdiction. You might see differences in terms of the products and services that are marketed, but a single internal approach to AI governance—that's certainly what we've been recommending to companies. And we would hope that they would align it with other overlapping approaches that they take on things, like responsible business conduct on their human rights to environmental considerations, as well.

So there's a range of different options out there. I think we're still at an early stage of seeing where companies will go, but I suspect they will want to maximize the potential innovation and the potential products and services they can sell, and so apply rules fairly narrowly just in the jurisdictions where those requirements will kick in. But I'd be interested to hear Will's thoughts on this question, given that you're probably closer to the advice that companies are receiving on this one.

Will Manley:
Yes. A lot of what I'm seeing is consistent with what you've just described, Richard. It is an unavoidably complex picture. I think the days of the classic GDPR example—which is, you comply to the highest standard internationally and you go off and do your business—I think those days are kind of over. It's difficult to offer clients that crisp advice now because often, complying to the highest standard will be commercially intolerable. What you've seen most obviously with AI model training—that's almost all happened outside of Europe because of the regulatory constraints in Europe. That kind of approach won't be able to sustain through the adoption phase, so companies will need to make difficult decisions about what they launch and how they launch products.

As you say, Richard, I think what we are seeing is a demand for integrated advice across the landscape, and that was the genesis for our Digital Regulation practice at Slaughter and May because we were seeing clients ask in a given product launch, "How is this touched not only by, for instance, the AI Act, but how is it touched by privacy rules, other digital rules? What are the IP issues?" The advice is often regionally specific, but it's not good enough for clients to go out to 15 different law firms and get 15 divergent answers. They're looking for good actionable advice that's risk-based. So that's what we're trying to do.

We also see more demand for insights into national jurisdictions than we did in the past. Because this is so strategic, a lot of the debates are actually driven at national level, almost more than they're driven at Brussels level now. In the EU, we see that with content regulation under the Digital Services Act, where the EU is proving to be a bit of a passenger in some of these debates. That's where we can offer, I think, some value—providing those insights because clients simply won't have the bandwidth to understand the latest development in Germany when it comes to platform regulation. They need to rely on us to offer that kind of advice.

So yeah—unavoidably complex and unfortunately, not an environment where you can say simply to clients, comply to the highest standard. I think inevitably, we'll see products that previously would have been released globally, and in roughly the same form, start to be released in a much more staggered fashion as they undergo the different regulatory analysis.

More generally, I think, and we can discuss this further later in the session, but we are advising clients to just get used to some residual uncertainty in a given product launch because so many of these rules are new, and there are new rules every month, that they're never going to reach a perfect state of compliance all of the time. And the process of doing so will make them hideously uncompetitive. I think culturally, we're in a moment now where clients are having to get used to a lot more uncertainty than they have done in the past. That's easier with some clients than others because some of them have more appetite for risk than others, but it's something we're having to help clients with.

David Stearns:
Thanks, Will. Just to pivot away for a moment from the strict focus on regulatory—companies are facing growing scrutiny, beyond regulators, from investors, from workers, from users, and from other external evaluations. Richard, I'm curious if you could tell us a little bit about your perspective. What are their main concerns and do these concerns vary? Are there different concerns that are being posed from investors and users, say, in North America as opposed to Europe or other regions of the world? Give us a little bit of a flavor of some of the other scrutiny from external stakeholders, and how those might vary across the world.

Richard Wingfield:
We've touched on it a little bit already, and earlier, Will mentioned that one of the drivers for regulation was concerns amongst voters. I think we've seen this story before, particularly in the context of social media regulation where particular incidents of harm, often very high-profile, involved a lot of campaigning from affected individuals and civil society organizations that really drove the regulatory response from the government. Many of the harms connected to social media that we're seeing with AI are quite emotive, quite personal, quite human-centered. Many governments are responding to that.

So if we're looking at concerns amongst users—Will gave some of these examples already—the big ones, I would say, are harmful AI generated content, particularly when it involves individuals and the impacts on protection of children or privacy, and what that might look like. We've seen huge concern from the creative sector when it comes to IP and the potential use of IP when it comes to AI models, and the outputs of generative AI—so real lobbying and concern from that particular sector.

And then I think a growing concern will be job losses. We are already seeing people affected by AI when it comes to either job losses or job displacement, or companies deciding to reduce the amount of hiring on the basis that AI can do a lot of entry level jobs. That's going to raise concerns amongst graduates, trade unions, groups like those. So there are different stakeholders that take different concerns seriously, but many of them are quite effective in getting those concerns raised at a governmental level and in lobbying towards them.

Some of the other stakeholders that you mentioned in your question are a little different. Investors are paying real attention to AI. Many responsible investors have had concerns about the human rights or environmental risks associated with particular companies' practices for a long time. That is not new, but I think they recognize the serious risks that come with AI when it comes to people and the planet. The environmental impacts are only growing in terms of public awareness. We've seen this, for example, with state laws in the U.S. now prohibiting the building of data centers or certain infrastructure that's needed for AI. That concern will only grow.

From a human rights risk perspective, we're now seeing the use of AI in military and defense technology. So there are really serious risks associated with companies that are developing AI systems now, particularly when they're associated with high-risk customers, like departments of defense or ministries of defense or military services. Investors are taking a really serious, in many ways ahead of other stakeholder groups, look at what their role is in investing when it comes to companies, whether that's shareholder resolutions, whether it is conditions on investment, whether it's the due diligence that they're undertaking. So they are taking quite a broad approach.

The other user group that I don't think we talk about enough, or that we don't hear about enough but are actually quite important, are the employees of companies as well. They're often affected directly by the introduction of AI systems within the workplace. They will often have concerns about the environmental impacts and energy use of the AI that they're encouraged to use. They may have concerns about biases in decision-making internally. There's a whole host of issues. At BSR actually, when we talk to our companies, often they tell us that this is a really big issue for their own employees as well. And that's part of the thought process in terms of what a responsible approach to AI looks like.

In terms of regional variations though, I don't think I've seen a huge amount of difference, and that's because AI is in many ways a global technology and its impact will largely be felt similarly across many parts of the world. So if AI is going to lead to job losses in one part of the world in a particular sector, almost certainly, everywhere else will feel the same impact. If you've got harmful generated AI content, it is not going to be limited to one particular country or part of the world where that content is going to exist. And so, I would say that many of the concerns that are raised by these groups are fairly universal, and regional differences are relatively minor.

David Stearns:
Thank you for that, Richard. If I could just follow up quickly on one point you raised around employees. You talked a little bit about inherent biases and some concerns around that. I didn't hear you talk about concerns from workers or employees around job displacement that might result from AI. I'm curious as to the extent that that is becoming more of a concern raised with companies, either from worker groups or as part of any of the regulations that you and Will have been discussing. Are there any efforts to put in safeguards to protect jobs?

Richard Wingfield:
It's definitely a concern amongst workers. Job losses in and of themselves are always going to concern any worker, worker group, or any trade union. That is regularly raised, particularly in sectors that are more vulnerable to job losses—the sectors and services where AI is very quickly replacing people. Coding is a great example, where AI is as sophisticated as most humans now. So huge concerns for those particular skills. But there are also concerns around the impact that AI has on the nature of your job. Is it taking away the things that you actually enjoyed about your job? Is AI being used as part of performance monitoring in your job? Is the nature of your job changing significantly from the one that you signed up for because of the integration of AI? It's a slightly different concern there, but we are seeing that raised as well.

What I haven't seen, is any regulatory efforts to try to minimize the impact of AI on job losses. I think governments are taking the approach of trying to look at things like digital skills in schools, retraining people who might be affected by AI—basically trying to make sure that people are resilient and able to find new jobs if they are affected by AI rather than restricting companies from using the types of AI that might result in job losses. I think trying to do so would be like trying to hold back the tide a little bit. And so, I think governments are looking at different policy interventions to try to manage the overall impact of AI on the workforce and on the economy.

Will Manley:
Just on that, from a Brussels perspective, if you go to an AI conference in Brussels now, a word that you will hear prominently is trust because the EU believes that there's a trust issue around AI, and it's probably not wrong because a lot of voters do have serious trust issues with AI. What will be interesting to see in the coming years is, I think from the top, i.e., from the Brussels institutions, you have the AI Act, which is supposed to increase trust in AI technology. That's one of its main objectives because EU believes that more trusted AI will be AI that's more widely adopted. You may see that manifest in standards, for example—AI products that come with a particular standard, or a particular seal attached to them which has some EU blessing.

It'll be interesting to see how much that principle emanates from the bottom as well, from voter concerns, but also from concerns among clients who are implementing AI. I think there's a reasonable likelihood that irrespective of what the regulation says, AI providers will need to start competing on these parameters as the most trustworthy AI—the AI that your employees will trust. That will be really interesting to see. I think the EU has tried to get the jump on that process in the way that it knows, which is to pass rules and to set standards. I think you'll also see it coming up in the other direction, which is emanating from voter concerns and from client demands.

Richard Wingfield:
I think there's a really interesting contrast there with social media—not perfect parallels, but social media went through a period of many years when it was generally really loved by the public. People were very keen on using different social media platforms. There was huge enthusiasm about the opportunities that it provided. Then eventually, there was some growing cynicism as the more harmful impacts associated with social media began to be felt, and that led to regulation. But that really took a long time. That was almost over a decade before that mood shift amongst the public happened.

Most people have only really thought about AI properly in the last two or three years, as a result of generative AI technology really becoming quite mainstream. Already, I think many people are becoming a little bit cynical. I think their experience of it is hallucinations on AI chatbots. It's seeing AI slop on social media feeds. It’s concerns about AI replacing their job. There's quite a lot of negativity already amongst populations around the impacts that AI is having.

I think there is more nervousness than excitement about it as a technology. It's quite an interesting contrast with other new technologies where generally, there's been a lot of enthusiasm about it, and because of the reasons that we'll set out, I think those concerns amongst the public will push governments to regulate perhaps more quickly than they did with social media.

David Stearns:
That's really interesting. To the extent that companies need to be prepared to respond to these pressures, we've often at BSR talked about not limiting ambition to where the regulatory line ends but instead, trying to be a little more ambitious in terms of how you are working to identify, mitigate, and remedy harms to people and the environment, relevant to the development and use of your products. I’d be curious to hear from both of you, if you were sitting down with a hypothetical client and had to come up with a wish list of the two or three things that the company should do to prepare for this environment, what would you say to them? Maybe we'll start with you, Will.

Will Manley:
I think the first thing would be to make regulatory considerations part of your innovation cycle—and regulatory considerations broadly defined. So when you're bringing a product through, you need to consider from the initiation of the product cycle, what does the regulatory treatment look like and what does the broader benefits analysis look like to as wide a population as possible? I think the worst outcome will be clients who develop a product, it's 99% ready and then they do a legal analysis, because that's the kind of situation where you might throw up some hideous problem which then requires a rebuild.

We're trying to advise clients to think about this stuff as part of their product lifecycle. I think that is consistent with what Richard has been saying, which is, particularly with AI, that the assessment will be broad, not narrow. You need to be thinking not just how this is going to be treated legally, but what kind of complaints, what kind of concerns this product can attract in a context which is very politically febrile and where there's a lot of voter concern? So that's what I would say to a client—make it part of the process, not just a box that you tick at the end.

Another aspect, I think number two, is the point I made earlier which is getting used to some residual uncertainty in any given product launch. If you're advising a client on the launch of an agentic AI solution, that solution now in Europe could find itself subject to 10 to 15 different rule books. The legal treatment might be unclear in places. It might not be perfectly compliant in all areas, but the commercial opportunity might be significant, the product may be fantastic, and the advice just can't get in the way of that. So the client needs to get comfortable launching a product knowing that there is some lack of clarity in the legal treatment.

I guess the third point is less of a legal point, and I'm conscious of straying too much into policy, but something I hear at the moment in the conference circuit in Brussels is the idea of a narrative, which is that we're rushing through to this technological future that we assume will be better for us, but very few people are making the point very coherently of how it will be better for us—and how in the specific context of someone who may be displaced by an AI technology, or may just not know what next week looks like at work, or the month after, or the year after.

When they're implementing these technologies, clients need to think, probably harder than ever, about their broader narrative. And it's not just because this will increase net profit and increase stakeholder benefits—it's really that it will make life better. The narrative point I think everyone can do a bit more work on, and that's the feeling I'm getting when I speak to people in Brussels. But I'm not sure what you're seeing, Richard.

Richard Wingfield:
Well, I suppose we come to this question from a slightly different perspective at BSR, where we don't necessarily provide regulatory advice, though the impact of regulation is something we always have in mind when we are talking to companies. But a few of the things that I might suggest, building on what you've suggested there, Will, is first to really get to grips with your AI governance internally within the company.

I think in many cases, the development of AI is seen as an issue for the AI team or for a product team, but recognition of the significant impacts that it can have means that it really needs to be treated at a corporate level with engagements and involvement from your board, and really senior responsibility allocated towards the way a company's going to be developing or using AI.

We would encourage companies to really get its governance of AI in order, and that's everything from the different policies or principles that it might have on AI. That can, I think, be connected to the narrative that you're talking about, Will. What does AI mean for us as a company? What are we going to do with it, and what are we not going to do with it? And why are we using it in the first place?

And then having processes in place to manage the risks that come with it, which I suppose is my second point in a way. Will, you mentioned earlier that although you have this spectrum of different types of AI regulation, there are some commonalities emerging as well—things like transparency or risk assessment. I would encourage companies to integrate those into their AI governance as well, without wanting to stifle innovation, because assessments of risk can also lead to opportunities being identified as well. Build those processes into your AI product development or your sales as appropriate.

I think a third point that I might mention as well, because we've talked a little bit about the different user groups or stakeholders who take an interest in this, is to really get into the habit of regular engagement with stakeholders on AI as a topic. This can be undertaken by different parts of the company. Talk to your employees and get their perspective about the way AI is being used. Talk to your investors. They'll almost certainly want to talk to you about it, but work with them as well. Increasingly, regulators are going to be taking an interest, even if they are not AI-focused regulators. We know communications regulators or online safety regulators are really interested in the way that AI is being used.

Where you have opportunities to talk to your customers, think about that as well. Recognizing the impacts of AI—and not just within your own workforce, but on people outside of that as well, particularly when it comes to environmental considerations—really get into the habit of integrating stakeholder engagement as part of your approach to AI as a company. Those are the kinds of things that we are recommending to companies. I think all of those in many ways, even if not necessarily required explicitly by regulation, will help towards some of the compliance aspects as well.

David Stearns:
Thanks, Richard. This has been a great conversation. I want to ask one final question, just to get some insights from either or both of you. For those who are interested in learning more about everything that we've discussed today—I know this is probably, for both of you, just the surface of where we could go with this—are there any other resources out there that our listeners might look into if they want to do additional investigation, or additional research, that you're paying attention to?

Richard Wingfield:
I'm happy to go first on this one because, of course, this is the second episode in our podcast series. I would encourage all of our listeners to listen to the first and third episodes of this series as well. BSR has put out a lot over the last year or so when it comes to AI, admittedly from a sustainability perspective, of course. That won't be a surprise. Early this year, we published an Insights+ piece, which really looked at some of the initial steps that companies can take when it comes to taking a responsible approach to AI. They touch upon some of the things we've talked about today in terms of governance, of management, of risk, and so forth. We'd encourage listeners to take a look at that.

We've also published some tools and standards that might be helpful for companies in particular sectors. Last year, we published our human rights assessment of the generative AI value chain. So if you are a company that is involved at all in generative AI, whether it's as a developer, whether it's as a company that is using generative AI internally, take a look at that and that will give you some guidance on some of the main human rights risks and opportunities for managing and mitigating them as well. Those would be a couple of resources that I would signpost.

David Stearns:
Anything from the Slaughter and May side, Will?

Will Manley:
You won't be surprised if I promote our own content, but we publish legal insights on all digital areas and increasingly on AI. That can all be found on our digital regulation page, also on our lens blog. We try to hold to a standard of need-to-know or interesting views. So you'll see everything you need to know if you're in house, if you're dealing with digital regulation issues. It's a really helpful resource. I'm also probably annoyingly active on LinkedIn.

David Stearns:
That's great to hear. Will, Richard, thank you very much for this conversation—really valuable insights. I think maybe we should pencil in a follow-up conversation a year from now. I bet it will be a very different conversation. We can't project into the future, but it's moving quickly, so I think it'd be fascinating to come back and see where things evolve.

In the meantime, we welcome all of our listeners to visit BSR's website at bsr.org. As Richard mentioned, you can find additional tools and insights to help you and your company navigate the dynamic context of responsible development and use of AI. For the BSR Insights Podcast, I'm David Stearns. Thank you, and we'll see you next time. Thanks for listening. For more in depth insights and guidance from BSR, please check out our website at bsr.org and be sure to follow us on LinkedIn.