Legal Ops: Interpreting AI Regulation and Risk

Businesses have been using artificial intelligence for years. But while machine learning (ML) models have often been taken from open-source repositories and built into business-specific systems, there has been little documentation and less policy on the origin of the models and their security features. There are many open questions regarding the practicalities of security, liability and even whether it is responsible to continuously develop this new technology. Emerging standards, guidance and regulation for AI are being created worldwide, and Legal Ops needs to understand them. Organizations such as the European Telecommunications Standardization Institute (ETSI), European Union Agency of Cybersecurity (ENISA), International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) are creating cross-referenced frameworks, and regional regulators, such as the E.U., are considering how to penalize bad practices.

The principles of regulation need to be flexible to cater to the speed of technological development and enable businesses to apply appropriate requirements to their capabilities and risk profile. There needs to be a risk and business resilience mindset rather than a mindset based on compliance alone. Regardless of regulatory changes, it is worthwhile for every business to understand how the risk is being evaluated, what the current exposure level is, and how standards and regulations will affect the company. What might be appropriate guidance for one company is not necessarily suitable for another.