Why AI guardrails need common sense built around defensibility

The EU AI Act comes into force for UK businesses in a matter of months – but the extent to which it’ll be able to keep pace with AI development is questionable.

The truth is that human pragmatism and existing authorities are likely to play a much larger role in establishing AI guardrails for businesses than new regulations.

Litigation in particular will also play a key part in shaping how we use and govern AI tools.

AGC and VP of Compliance, Archive360.

AI technologies have achieved escape velocity in recent years, evolving at an exponentially rapid pace. New editions of leading foundation models have been released not on a biannual basis, but almost monthly.

Law making, on the other hand, is famously slow to move, passing through interminable committee stages and negotiations before hitting the statute books.

Promulgating new regulations moves only a bit more quickly, but like new laws, often arrive late or miss the mark in rapidly developing markets.

The Mythos warning

Anthropic’s Mythos model is a perfect case in point here. The new LLM has caused serious concern globally as a result of its ability to spot zero-day vulnerabilities in IT systems – theoretically exposing the cybersecurity infrastructure of the world to significant risk.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Its existence was announced on 7 April, along with Anthropic’s intention to restrict its use to a handful of key tech firms and banks like Apple and Goldman Sachs. By 22 April, Anthropic was investigating reports that unauthorized users had accessed the model.

We have also seen significant risk in the software supply chain, such as the LiteLLM hack that was at the center of the Mercor breach. At time of writing, the entire security infrastructure of the internet hasn’t collapsed, but security and compliance teams are losing sleep.

The point is that the span between Mythos’s existence becoming known to the first time it posed a real-world risk was measured in days, not years. Which means that in that time, it would have been functionally impossible for lawmakers to learn about the new AI developments Mythos represents, consider their possible impacts, and adjust legislation to match.

As far as the law is concerned, AI is the slipperiest of fish. It is also where we are more likely to see regulators and lawyers rely on existing rules and authorities, versus waiting for something net new.

Call in the lawyers

In that context, checks and balances on the AI industry will need to come from elsewhere. Rather than next-gen tech, businesses will need to turn to those most human of attributes – common sense and survival instincts. Pragmatism, driven by the threat of litigation and fines under new liability frameworks, is more likely to curb harmful or irresponsible AI deployment far earlier than formal regulation can.

In other words, if successful lawsuits are brought for unethical AI creation or use, we can expect to see far more pre-emptive work done by the industry itself – constrained not by all-seeing legislation, but the precedent of litigation.

This isn’t wishful thinking – the AI startup Mercor, valued at $10bn, is already facing seven class-action lawsuits following a data breach that raised concerns about provenance of training data and opacity in their practices. According to the lawsuits, Mercor was found to have monitored contractors’ computers and shared the resulting data with clients, used recorded candidate interviews to train AI models, and trained client models on materials potentially owned by other companies.

The Mercor lawsuits are based on existing statutes and regulations, including privacy, cybersecurity, and even record keeping causes of action. This is instructive, as claims arising from AI issues do not need novel AI laws or regulations, and the Plaintiff’s Bar is unlikely to stop here. Over time, legal action targeting improper use, breaches, or bias, will create a framework of legal precedent, as impactful to the market as new AI regulation

Defensibility-A Pragmatic Approach

As a result, leaders will recognize the need for a pragmatic approach in how AI models are built and used. As the caseload of AI litigation increases, it will be increasingly self-evident that organizations must be able to defend the training, use, and ongoing operation of AI applications and agents.

Not only will this be important when the plaintiff’s bar or a regulator shows up, but to stay in the good graces of cyber insurance carriers.

In the same manner in which restaurants handle allergens or hospitals handle patient consent have been shaped in large part by high-profile litigation, so the AI industry may be molded by the courts far quicker than by parliaments and legislatures.

As a result, AI businesses need to take a structured, intelligent approach to their data and AI governance practices. It’s crucial they understand the lineage of their data, where it is managed, how AI and agents can access and use it, and monitor the outcomes.

Without the foundational data governance practices, the risk of a misstep increases exponentially – potentially exposing the organisation to litigation, even if no specific AI regulation applies to limit the activity in question.

Pragmatism will set the pace – technology will make it possible.

We list the best password manager.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

AGC and VP of Compliance, Archive360.