Important points
- Although there is no comprehensive AI regulatory framework in place in the United States, the use of AI is regulated by many existing laws, and new laws are taking effect across the United States. In their oversight role, boards need to be aware of the various laws that may govern their companies.
- Existing laws and their application to businesses will need to be revisited in the light of advances in AI, and new laws will need to be assessed in the context of businesses’ AI needs and ambitions.
- With the rapid and tremendous expansion of AI, companies need to implement agile and strategic compliance frameworks to keep up with their business and allow them to focus their precious and limited legal resources on the AI tools that pose the highest risks.
__________
If you’re a board member, you’ve probably heard conflicting messages about artificial intelligence (AI) regulation in the U.S. Some argue that AI is simply not regulated in the U.S. The truth is more nuanced than you might think, and it’s immediately important.
While it’s true that Congress hasn’t passed any comprehensive AI-specific legislation, your company’s use of AI is almost certainly already regulated. Here’s why: The law doesn’t care about how you break the rules, it only cares that you broke the rules.
Introducing new technology does not provide legal immunity
Let’s start with a simple suggestion. Using artificial intelligence to perform a task does not exempt it from the regulations that already govern that task. This principle may seem obvious, but sophisticated companies run the risk of tripping over it time and time again.
Click here to view >
Consider a financial services company that deploys an AI system to evaluate loan applications. Fair lending laws, such as the Equal Credit Opportunity Act and the Fair Housing Act, apply whether the decision is made by an algorithm or by a loan officer. The fact that the discrimination may have resulted from biases built into neural networks rather than overt human bias is likely irrelevant to the purpose of this act.
This concept extends to all regulatory areas. Healthcare companies that use AI will continue to be bound by privacy and security obligations and Health Insurance Portability and Accountability Act (HIPAA) standards, informed consent requirements, and medical malpractice standards. Employers who use AI screening tools in hiring must continue to comply with Title VII of the Civil Rights Act and the Americans with Disabilities Act. Publicly traded companies that use AI to disclose financial information must continue to comply with securities law requirements for accuracy and completeness.
Regulators are already regulating AI – by sector
As AI proliferates, industry regulators are not sitting idle. They have used existing legal powers to assert jurisdiction over AI systems, often making it abundantly clear that their regulation and jurisdiction applies to AI as well, often in ways that create real enforcement risks.
The financial services sector is a clear example of this. The Consumer Financial Protection Bureau has taken enforcement actions against companies whose algorithms produced discriminatory results. The Securities and Exchange Commission has indicated it will increase its oversight of AI-driven trading systems. Banking regulators expect the same model AI risk management frameworks applied to traditional credit models, including robust validation, continuous monitoring, and clear governance.
In the healthcare sector, the Food and Drug Administration currently regulates certain AI and machine learning-based medical devices as software as medical devices (SaMD) and requires premarket review for high-risk applications. The Centers for Medicare and Medicaid Services has begun working on reimbursement policies for AI-enabled diagnostic tools. State medical boards have made clear that physicians will continue to be professionally responsible for AI-assisted clinical decision-making.
Employment regulators are doing the same. The Equal Employment Opportunity Commission has issued guidance on AI recruitment tools, emphasizing that employment discrimination laws fully apply regardless of whether the selection is made by a human or an algorithm. Some states and local governments have gone further and have enacted laws mandating certain transparency and auditing requirements for automated employment decision tools.
Why “I didn’t know what the AI would do” is not a defense
Some companies assume that the “black box” nature of some AI systems creates plausible deniability of adverse outcomes. it’s not.
From a legal perspective, you are responsible for the systems you deploy. When companies put AI tools into production that impact customers, employees, patients, and investors, they are responsible for the consequences. As regulators grapple with AI, it’s becoming clear that saying “an algorithm did it” carries about the same legal weight as saying “a spreadsheet did it” or “a calculator did it.”
In fact, implementing a system you don’t fully understand can create additional liability. Regulators and courts expect companies to conduct appropriate due diligence before introducing technology that affects people’s rights or economic interests, and to fully understand how it works and the potential risks it poses. If you cannot explain how your AI system makes decisions, you may have a hard time proving that you have fulfilled your duty of care or to ensure non-discriminatory outcomes.
This is especially true for board members. Directors have a fiduciary duty to reasonably supervise the operations of the company. Allowing the deployment of AI systems without proper governance, testing, or oversight may constitute a breach of the duty of care, especially if the problem is foreseeable and preventable.
Compliance framework
Rather than waiting for comprehensive federal AI legislation, boards should ask management to implement a governance framework now. Mature AI governance in regulated industries looks like this:
Please define what you mean by AI. The term AI encompasses many technologies, many of which are low-risk and can be used without additional concerns or legal governance. So decide what types of AI and what use cases may actually pose a risk to your business (such as high-risk AI, direct customer-facing AI tools with high reputational risk if they malfunction), and which systems your business absolutely relies on (primary AI such as business-critical pricing systems). This allows you to focus your legal and compliance resources on high-risk, critical use cases.
Inventory and risk classification. You can’t govern something you don’t know exists. Businesses need a clear process to identify where high-risk and critical AI is being used across the organization and categorize systems based on their risk profile. You also need a process to ensure this inventory is kept up-to-date, as AI tool risks often change rapidly as new features are released or employees discover new uses for existing capabilities.
Domain-specific compliance integration. Identify which existing regulations apply to each high-risk, major AI system and incorporate compliance requirements into the development and deployment process.
Build on what you already have. Where possible, integrate AI governance into existing compliance processes, rather than “starting from scratch” with new AI policies that add complexity and are not tied to existing processes. For example, the AI governance needed to address anti-discrimination laws can be built into existing anti-discrimination policies and processes, rather than siled within AI policy. Rather than having a vendor section in your AI policy, update your vendor management policy to address the risks of vendors relying on AI when providing services or using data within AI.
Validation and testing protocols. Key high-risk AI systems must be tested for accuracy, fairness, and robustness before deployment. AI systems can drift over time, so many regulators expect continued monitoring after deployment.
Human oversight and accountability. While AI can enhance decision-making, high-stakes decisions in regulated situations typically require meaningful human involvement. Additionally, responsible parties often need to be assigned responsibility for each AI system. You need to consider what situations will require human oversight, what level of human oversight will be provided, how you will train the humans to perform this oversight, and (perhaps most difficult) how you will document that oversight. Regulators will want evidence of what you have implemented and that it has an appropriate level of human control.
Transparency and explainability. While you may not be able to fully explain all the outputs of a complex model, you should be able to clearly explain what the system does, what data it uses, what it is designed to accomplish, what guardrails exist, and especially how to identify when the AI misbehaves and quickly fix it. This is important for regulatory reviews, customer complaints, and litigation.
The role of the board: ask the right questions
Board members don’t need to be AI experts, but they should ask management questions about AI governance.
- Do you have a comprehensive inventory of key high-risk AI systems used across your organization, particularly in customer-facing and regulated functions?
- What is the governance framework to ensure that AI systems comply with applicable regulations before (and during) deployment?
- Who is responsible for key high-risk AI systems? Do they have the appropriate expertise in both the technology and the associated regulatory requirements?
- What tests are being conducted and what safeguards are in place to ensure that AI systems do not produce questionable results? And if a mistake is made, how can it be quickly identified and corrected?
- How can I monitor my AI system after deployment?
- What training do employees receive on the appropriate use of AI in specific regulatory situations?
conclusion
The lack of comprehensive federal AI legislation does not mean there is no AI regulation. This means that AI regulation is being done through the application of existing laws, sometimes predictably and sometimes in novel ways that create uncertainty.
For boards, this reality requires active engagement. Risk is not hypothetical. Companies are already facing law enforcement actions, lawsuits, and reputational damage from implementing AI systems. These risks will only increase as AI adoption accelerates and regulators develop more sophisticated oversight approaches.
The companies that can successfully navigate this situation are those that recognize the simple truth that AI is a tool and remains responsible for what that tool does. Governance frameworks must reflect that reality and ensure innovation moves within the boundaries that laws and regulations set for the industry.
Download PDF
[View source.]
