Notice2023-07776
AI Accountability Policy Request for Comment
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 13, 2023
Issuing agencies
Commerce DepartmentNational Telecommunications and Information Administration
Abstract
The National Telecommunications and Information Administration (NTIA) hereby requests comments on Artificial Intelligence ("AI") system accountability measures and policies. This request focuses on self-regulatory, regulatory, and other measures and policies that are designed to provide reliable evidence to external stakeholders--that is, to provide assurance--that AI systems are legal, effective, ethical, safe, and otherwise trustworthy. NTIA will rely on these comments, along with other public engagements on this topic, to draft and issue a report on AI accountability policy development, focusing especially on the AI assurance ecosystem.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 71 (Thursday, April 13, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 71 (Thursday, April 13, 2023)]
[Notices]
[Pages 22433-22441]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-07776]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
[Docket No. 230407-0093]
RIN 0660-XC057
AI Accountability Policy Request for Comment
AGENCY: National Telecommunications and Information Administration,
U.S. Department of Commerce.
ACTION: Notice, request for Comment.
-----------------------------------------------------------------------
SUMMARY: The National Telecommunications and Information Administration
(NTIA) hereby requests comments on Artificial Intelligence (``AI'')
system accountability measures and policies. This request focuses on
self-regulatory, regulatory, and other measures and policies that are
designed to provide reliable evidence to external stakeholders--that
is, to provide assurance--that AI systems are legal, effective,
ethical, safe, and otherwise trustworthy. NTIA will rely on these
comments, along with other public engagements on this topic, to draft
and issue a report on AI accountability policy development, focusing
especially on the AI assurance ecosystem.
DATES: Written comments must be received on or before June 12, 2023.
ADDRESSES: All electronic public comments on this action, identified by
<a href="http://Regulations.gov">Regulations.gov</a> docket number NTIA-2023-0005, may be submitted through
the Federal e-Rulemaking Portal at <a href="http://www.regulations.gov">www.regulations.gov</a>. The docket
established for this request for comment can be found at
<a href="http://www.regulations.gov">www.regulations.gov</a>, NTIA-2023-0005. Click the ``Comment Now!'' icon,
complete the required fields, and enter or attach your comments.
Additional instructions can be found in the ``Instructions'' section
below after ``Supplementary Information.''
FOR FURTHER INFORMATION CONTACT: Please direct questions regarding this
Notice to Travis Hall at <a href="/cdn-cgi/l/email-protection#84f0ece5e8e8c4eaf0ede5aae3ebf2"><span class="__cf_email__" data-cfemail="2e5a464f42426e405a474f00494158">[email protected]</span></a> with ``AI Accountability Policy
Request for Comment'' in the subject line, or if by mail, addressed to
Travis Hall, National Telecommunications and Information
Administration, U.S. Department of Commerce, 1401 Constitution Avenue
NW, Room 4725, Washington, DC 20230; telephone: (202) 482-3522. Please
direct media inquiries to NTIA's Office of Public Affairs, telephone:
(202) 482-7002; email: <a href="/cdn-cgi/l/email-protection#6c1c1e091f1f2c0218050d420b031a"><span class="__cf_email__" data-cfemail="b7c7c5d2c4c4f7d9c3ded699d0d8c1">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
Background and Authority
Advancing trustworthy Artificial Intelligence (``AI'') is an
important federal objective.\1\ The National AI Initiative Act of 2020
\2\ established federal priorities for AI, creating the National AI
Initiative Office to coordinate federal efforts to advance trustworthy
AI applications, research, and U.S. leadership in the development and
use of trustworthy AI in the public and private sectors.\3\ Other
legislation, such as the landmark CHIPS and Science Act of 2022, also
support the advancement of trustworthy AI.\4\ These initiatives are in
accord with Administration efforts to advance American values and
leadership in AI \5\ and technology platform accountability \6\ and to
promote ``trustworthy artificial intelligence'' as part of a national
security strategy.\7\ Endeavors that further AI system governance to
combat harmful bias and promote equity and inclusion also support the
Administration's agenda on racial equity and support for underserved
communities.\8\ Moreover, efforts to advance trustworthy AI are core to
the work of the Department of Commerce. In recent public outreach, the
International Trade Administration noted that the Department ``is
focused on solidifying U.S. leadership in emerging technologies,
including AI'' and that the ``United States seeks to promote the
development of innovative and trustworthy AI systems that respect human
rights, [and] democratic values, and are designed to enhance privacy
protections.'' \9\
---------------------------------------------------------------------------
\1\ See generally, Laurie A Harris, Artificial Intelligence:
Background, Selected Issues, and Policy Considerations, CRS 46795,
U.S. Library of Congress: Congressional Research Service, (May 19,
2021), at 16-26, 41-42, <a href="https://crsreports.congress.gov/product/pdf/R/R46795">https://crsreports.congress.gov/product/pdf/R/R46795</a> (last visited Feb. 1, 2023).
\2\ The National Artificial Intelligence Initiative Act of 2020,
Pub. L. 116-283, 134 Stat. 3388 (Jan. 1, 2021).
\3\ U.S. National Artificial Intelligence Initiative Office,
Advancing Trustworthy AI Initiative, <a href="https://www.ai.gov/strategic-pillars/advancing-trustworthy-ai">https://www.ai.gov/strategic-pillars/advancing-trustworthy-ai</a> (last visited Jan. 19, 2023).
\4\ See, e.g., CHIPS and Science Act of 2022, Pub. L. 117-167,
136 Stat. 1392 (Aug. 9, 2022) (providing support and guidance for
the development of safe, secure, and trustworthy AI systems,
including considerations of fairness and bias as well as the
ethical, legal, and societal implications of AI more generally).
\5\ Supra note 2 (implemented though the National Artificial
Intelligence Initiative, <a href="https://ai.gov">https://ai.gov</a> (last visited Jan. 19,
2023)).
\6\ White House, Readout of White House Listening Session on
Tech Platform Accountability (Sept. 8, 2022) [Tech Platform
Accountability], <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/08/readout-of-white-house-listening-session-on-tech-platform-accountability">https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/08/readout-of-white-house-listening-session-on-tech-platform-accountability</a> (last visited Feb. 1, 2023).
\7\ White House, Biden-Harris Administration's National Security
Strategy (Oct. 12, 2022) at 21, <a href="https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf">https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf</a> (last visited Feb. 1, 2023)
(identifying ``trusted artificial intelligence'' and ``trustworthy
artificial intelligence'' as priorities). See also U.S. Government
Accountability Office; Artificial Intelligence: An Accountability
Framework for Federal Agencies and Other Entities, GAO-21-519SP
(June 30, 2021) (proposing a framework for accountable AI around
governance, data, performance, and monitoring).
\8\ See Advancing Racial Equity and Support for Underserved
Communities Through the Federal Government, Exec. Order No. 13985,
86 FR 7009 (Jan. 25, 2021) (revoking Exec. Order No. 13058); Further
Advancing Racial Equity and Support for Underserved Communities
Through the Federal Government, Exec. Order No. 14091, 88 FR 10825,
10827 (Feb. 16, 2023) (specifying a number of equity goals related
to the use of AI, including the goal to ``promote equity in science
and root out bias in the design and use of new technologies, such as
artificial intelligence.'').
\9\ International Trade Administration, Request for Comments on
Artificial Intelligence Export Competitiveness, 87 FR 50288, 50288
(Oct. 17, 2022) (``ITA is broadly defining AI as both the goods and
services that enable AI systems, such as data, algorithms and
computing power, as well as AI-driven products across all industry
verticals, such as autonomous vehicles, robotics and automation
technology, medical devices and healthcare, security technology, and
professional and business services, among others.'').
---------------------------------------------------------------------------
To advance trustworthy AI, the White House Office of Science and
Technology Policy produced a Blueprint for an AI Bill of Rights
(``Blueprint''), providing guidance on ``building and deploying
automated systems that are aligned with democratic values and protect
civil rights, civil liberties, and privacy.'' \10\ The National
Institute of Standards and Technology (NIST) produced an AI Risk
Management Framework, which provides a voluntary process for managing a
wide range of potential AI risks.\11\ Both of these initiatives
[[Page 22434]]
contemplate mechanisms to advance the trustworthiness of algorithmic
technologies in particular contexts and practices.\12\ Mechanisms such
as measurements of AI system risks, impact assessments, and audits of
AI system implementation against valid benchmarks and legal
requirements, can build trust. They do so by helping to hold entities
accountable for developing, using, and continuously improving the
quality of AI products, thereby realizing the benefits of AI and
reducing harms. These mechanisms can also incentivize organizations to
invest in AI system governance and responsible AI products. Assurance
that AI systems are trustworthy can assist with compliance efforts and
help create marks of quality in the marketplace.
---------------------------------------------------------------------------
\10\ White House, Blueprint for an AI Bill of Rights: Making
Automated Systems Work for the American People (Blueprint for AIBoR)
(Oct. 2022), <a href="https://www.whitehouse.gov/ostp/ai-bill-of-rights">https://www.whitehouse.gov/ostp/ai-bill-of-rights</a>.
\11\ National Institute for Standards and Technology, Artificial
Intelligence Risk Management Framework 1.0 (AI RMF 1.0) (Jan. 2023),
<a href="https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf">https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf</a>. See also
National Artificial Intelligence Research Resource Task Force,
Strengthening and Democratizing the U.S. Artificial Intelligence
Innovation Ecosystem: An Implementation Plan for a National
Artificial Intelligence Research Resource (Jan. 2023), <a href="https://www.ai.gov/wp-content/uploads/2023/01/NAIRR-TF-Final-Report-2023.pdf">https://www.ai.gov/wp-content/uploads/2023/01/NAIRR-TF-Final-Report-2023.pdf</a>
(last visited Feb. 1, 2023) (presenting a roadmap to developing a
widely accessible AI research cyberinfrastructure, including support
for system auditing).
\12\ See, e.g., AI RMF 1.0, supra note 11 at 11 (graphically
showing test, evaluation, verification, and validation (TEVV)
processes, including assessment and audit, occur throughout an AI
lifecycle); Blueprint for AIBoR, supra note 10 at 27-28 (referring
to ``independent'' and ``third party'' audits, as well as ``best
practices'' in audits and assessments to ensure high data quality
and fair and effective AI systems). See also Tech Platform
Accountability (Sept. 8, 2022) (including the goal of promoting
transparency in platform algorithms and preventing discrimination in
algorithmic decision-making).
---------------------------------------------------------------------------
NTIA is the President's principal advisor on telecommunications and
information policy issues. In this role, NTIA studies and develops
policy on the impacts of information and communications technology on
civil rights; \13\ transparency in software components; \14\ and the
use of emerging digital technologies.\15\ NTIA's statutory authority,
its role in advancing sound internet, privacy, and digital equity
policies, and its experience leading stakeholder engagement processes
align with advancing sound policies for trustworthy AI generally and AI
accountability policies in particular.
---------------------------------------------------------------------------
\13\ National Telecommunications and Information Administration,
Data Privacy, Equity and Civil Rights Request for Comments, 88 FR
3714 (Jan. 20, 2023).
\14\ National Telecommunications and Information Administration,
Software Bill of Materials (Apr. 27, 2021), <a href="https://ntia.gov/page/software-bill-materials">https://ntia.gov/page/software-bill-materials</a> (last visited Feb. 1, 2023).
\15\ See, e.g., National Telecommunications and Information
Administration, Spectrum Monitoring--Institute for
Telecommunications Sciences, <a href="https://its.ntia.gov/research-topics/spectrum-management-r-d/spectrum-monitoring">https://its.ntia.gov/research-topics/spectrum-management-r-d/spectrum-monitoring</a> (last visited Feb. 1,
2023).
---------------------------------------------------------------------------
Definitions and Objectives
Real accountability can only be achieved when entities are held
responsible for their decisions. A range of AI accountability processes
and tools (e.g., assessments and audits, governance policies,
documentation and reporting, and testing and evaluation) can support
this process by proving that an AI system is legal, effective, ethical,
safe, and otherwise trustworthy--a function also known as providing AI
assurance.
The term ``trustworthy AI'' is intended to encapsulate a broad set
of technical and socio-technical attributes of AI systems such as
safety, efficacy, fairness, privacy, notice and explanation, and
availability of human alternatives. According to NIST, ``trustworthy
AI'' systems are, among other things, ``valid and reliable, safe,
secure and resilient, accountable and transparent, explainable and
interpretable, privacy-enhanced, and fair with their harmful bias
managed.'' \16\ Along the same lines, the Blueprint identifies a set of
five principles and associated practices to help guide the design, use,
and deployment of AI and other automated systems. These are: (1) safety
and effectiveness, (2) algorithmic discrimination protections, (3) data
privacy, (4) notice and explanation, and (5) human alternatives,
consideration and fallback.\17\ These principles align with the
trustworthy AI principles propounded by the Organisation for Economic
Co-operation and Development (OECD) in 2019, which 46 countries have
now adopted.\18\ Other formulations of principles for responsible or
trustworthy AI containing all or some of the above-stated
characteristics are contained in industry codes,\19\ academic
writing,\20\ civil society codes,\21\ guidance and frameworks from
standards bodies,\22\ and other governmental instruments.\23\ AI
assurance is the practical implementation of these principles in
applied settings with adequate internal or external enforcement to
provide for accountability.
---------------------------------------------------------------------------
\16\ AI RMF 1.0, supra note 11.
\17\ White House, Blueprint for AIBoR, supra note 10.
\18\ Organisation for Economic Co-operation and Development
(OECD), Recommendation of the Council on Artificial Intelligence
(May 22, 2019), <a href="https://www.oecd.org/gov/pcsd/recommendation-on-policy-coherence-for-sustainable-development-eng.pdf">https://www.oecd.org/gov/pcsd/recommendation-on-policy-coherence-for-sustainable-development-eng.pdf</a> (last visited
Feb. 1, 2023) (AI systems should (1) drive inclusive growth,
sustainable development and well-being; (2) be designed to respect
the rule of law, human rights, democratic values, and diversity; (3)
be transparent; (4) be robust, safe, and secure; (5) and be
accountable).
\19\ See, e.g., Microsoft, Microsoft Responsible AI Standard
Reference Guide Version 2.0 (June 2022), <a href="https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4ZPmV">https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4ZPmV</a> (last
visited Feb. 1, 2023) (identifying accountability, transparency,
fairness, reliability and safety, privacy and security, and
inclusiveness goals).
\20\ See, e.g., Jessica Newman, Univ. of Cal. Berkeley Center
for Long-Term Cybersecurity, A Taxonomy of Trustworthiness for
Artificial Intelligence White Paper (Jan. 2023), Univ. of Cal.
Berkeley Center for Long-Term Cybersecurity, <a href="https://cltc.berkeley.edu/wp-content/uploads/2023/01/Taxonomy_of_AI_Trustworthiness.pdf">https://cltc.berkeley.edu/wp-content/uploads/2023/01/Taxonomy_of_AI_Trustworthiness.pdf</a> (mapping 150 properties of
trustworthiness, building on NIST AI Risk Management Framework);
Thilo Hagendorff, The Ethics of AI Ethics: An Evaluation of
Guidelines, Minds & Machines 30, 99-120 (2020), <a href="https://doi.org/10.1007/s11023-020-09517-8">https://doi.org/10.1007/s11023-020-09517-8</a>; Jeannette M. Wing, Trustworthy AI,
Communications of the ACM, Vol. 64 No. 10 (Oct. 2021), <a href="https://cacm.acm.org/magazines/2021/10/255716-trustworthy-ai/fulltext">https://cacm.acm.org/magazines/2021/10/255716-trustworthy-ai/fulltext</a>.
\21\ See generally, Luciano Floridi, and Josh Cowls, A Unified
Framework of Five Principles for AI in Society, Harvard Data Science
Review, Issue1.1 (July 01, 2019), <a href="https://doi.org/10.1162/99608f92.8cd550d1">https://doi.org/10.1162/99608f92.8cd550d1</a> (synthesizing ethical AI codes); Algorithm Watch,
The AI Ethics Guidelines Global Inventory (2022), <a href="https://inventory.algorithmwatch.org">https://inventory.algorithmwatch.org</a> (last visited Feb. 1, 2023) (listing
165 sets of ethical AI guidelines).
\22\ See, e.g., Institute of Electrical and Electronics
Engineers (IEEE), IEEE Global Initiative on Ethics of Autonomous &
Intelligent Systems (Feb. 2022), <a href="http://standards.ieee.org/develop/indconn/ec/ead_v2.pdf">http://standards.ieee.org/develop/indconn/ec/ead_v2.pdf</a>; IEEE, IEEE P7014: Emulated Empathy in
Autonomous and Intelligent Systems Working Group, <a href="https://sagroups.ieee.org/7014">https://sagroups.ieee.org/7014</a> (last visited Feb. 1, 2023). C.f. Daniel
Schiff et al., IEEE 7010: A New Standard for Assessing the Well-
Being Implications of Artificial Intelligence, IEEE Int'l Conf. on
Sys., Man & Cybernetics 1 (2020). There also efforts to harmonize
and compare tools for trustworthy AI. See, e.g., OECD, OECD Tools
for Trustworthy AI: A Framework to Compare Implementation Tools for
Trustworthy AI Systems, OECD Digital Economy Papers No. 312 (June
2021), <a href="https://www.oecd-ilibrary.org/docserver/008232ec-en.pdf?expires=1674495915&id=id&accname=guest&checksum=F5D10D29FCE205F3F32F409A679571FE">https://www.oecd-ilibrary.org/docserver/008232ec-en.pdf?expires=1674495915&id=id&accname=guest&checksum=F5D10D29FCE205F3F32F409A679571FE</a>.
\23\ See, e.g., European Commission, High-Level Expert Group on
Artificial Intelligence (AI HLEG), Ethics Guidelines for Trustworthy
AI (Apr. 8, 2019), <a href="https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai">https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai</a>.
---------------------------------------------------------------------------
Many entities already engage in accountability around
cybersecurity, privacy, and other risks related to digital
technologies. The selection of AI and other automated systems for
particular scrutiny is warranted because of their unique features and
fast-growing importance in American life and commerce. As NIST notes,
these systems are
``trained on data that can change over time, sometimes significantly
and unexpectedly, affecting system functionality and trustworthiness
in ways that are hard to understand. AI systems and the contexts in
which they are deployed are frequently complex, making it difficult
to detect and respond to failures when they occur. AI systems are
inherently socio-technical in nature, meaning they are influenced by
societal dynamics and human behavior. AI risks--and benefits--can
emerge from the interplay of technical aspects combined with
societal factors related to how a system is used, its interactions
with other AI systems, who operates it, and the social context in
which it is deployed.'' \24\
---------------------------------------------------------------------------
\24\ AI Risk Mgmt. Framework 1.0, supra note 11 at 1.
[[Page 22435]]
---------------------------------------------------------------------------
The objective of this engagement is to solicit input from
stakeholders in the policy, legal, business, academic, technical, and
advocacy arenas on how to develop a productive AI accountability
ecosystem. Specifically, NTIA hopes to identify the state of play,
gaps, and barriers to creating adequate accountability for AI systems,
any trustworthy AI goals that might not be amenable to requirements or
standards, how supposed accountability measures might mask or minimize
AI risks, the value of accountability mechanisms to compliance efforts,
and ways governmental and non-governmental actions might support and
enforce AI accountability practices.
This Request for Comment uses the terms AI, algorithmic, and
automated decision systems without specifying any particular technical
tool or process. It incorporates NIST's definition of an ``AI system,''
as ``an engineered or machine-based system that can, for a given set of
objectives, generate outputs such as predictions, recommendations, or
decisions influencing real or virtual environments.'' \25\ This
Request's scope and use of the term ``AI'' also encompasses the broader
set of technologies covered by the Blueprint: ``automated systems''
with ``the potential to meaningfully impact the American public's
rights, opportunities, or access to critical resources or services.''
\26\
---------------------------------------------------------------------------
\25\ Id.
\26\ Blueprint for AIBoR, supra note 10 at 8.
---------------------------------------------------------------------------
Accountability for Trustworthy AI
1. Growing Regulatory Interest in AI Accountability Mechanisms
Governments, companies, and civil society organizations are
developing AI governance tools to mitigate the risks of autonomous
systems to individuals and communities. Among these are accountability
mechanisms to show that AI systems are trustworthy, which can help
foster responsible development and deployment of algorithmic systems,
while at the same time giving affected parties (including customers,
investors, affected individuals and communities, and regulators)
confidence that the technologies are in fact worthy of trust.\27\
Governments around the world, and within the United States, are
beginning to require accountability mechanisms including audits and
assessments of AI systems, depending upon their use case and risk
level. For example, there are relevant provisions in the European
Union's Digital Services Act requiring audits of very large online
platforms' systems,\28\ the draft EU Artificial Intelligence Act
requiring conformity assessments of certain high-risk AI tools before
deployment,\29\ and New York City Law 144 requiring bias audits of
certain automated hiring tools used within its jurisdiction.\30\
Several bills introduced in the U.S. Congress include algorithmic
impact assessment or audit provisions.\31\ In the data and consumer
protection space, policies focus on design features of automated
systems by requiring in the case of privacy-by-design,\32\ or
prohibiting in the case of ``dark patterns,'' certain design choices to
secure data and consumer protection.\33\ Governments are mandating
accountability measures for government-deployed AI systems.\34\ Related
tools are also emerging in the private sector from non-profit entities
such as the Responsible AI Institute (providing system certifications)
\35\ to startups and well-established companies, such as Microsoft's
Responsible AI Standard \36\ and Datasheets for Datasets,\37\ the
Rolls-Royce Alethia Framework,\38\ Google's Model Card Toolkit,\39\ and
many others.
---------------------------------------------------------------------------
\27\ See, e.g., Michael Kearns and Aaron Roth, Ethical Algorithm
Design Should Guide Technology Regulation, Brookings (Jan. 13,
2020), <a href="https://www.brookings.edu/research/ethical-algorithm-design-should-guide-technology-regulation">https://www.brookings.edu/research/ethical-algorithm-design-should-guide-technology-regulation</a> (noting that ``more systematic,
ongoing, and legal ways of auditing algorithms are needed'').
\28\ European Union, Amendments Adopted by the European
Parliament on 20 January 2022 on the Proposal for a Regulation of
the European Parliament and of the Council on a Single Market For
Digital Services (Digital Services Act) and amending Directive 2000/
31/EC, OJ C 336, <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022AP0014">https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022AP0014</a> (Article 28 provides that ``[v]ery large
online platforms shall ensure auditors have access to all relevant
data necessary to perform the audit properly.'' Further, auditors
must be ``recognised and vetted by the Commission and . . . [must
be] legally and financially independent from, and do not have
conflicts of interest with'' the audited platforms.).
\29\ European Union, Proposal for a Regulation of the European
Parliament and Of The Council Laying Down Harmonised Rules On
Artificial Intelligence (Artificial Intelligence Act) and Amending
Certain Union Legislative Acts, 2021/0106(COD), <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206">https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206</a>. See
also European Parliament Special Committee on Artificial
Intelligence in a Digital Age, Report on Artificial Intelligence in
a Digital Age, A9-0088/2022, <a href="https://www.europarl.europa.eu/doceo/document/A-9-2022-0088_EN.html">https://www.europarl.europa.eu/doceo/document/A-9-2022-0088_EN.html</a> (setting forth European Parliament
positions on AI development and governance).
\30\ The New York City Council, Automated Employment Decision
Tools, Int 1894-2020 (effective Apr. 2023), <a href="https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4344524&GUID=B051915D-A9AC-451E-81F8-6596032FA3F9&Options=ID%7CText%7C&Search=">https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4344524&GUID=B051915D-A9AC-451E-81F8-6596032FA3F9&Options=ID%7CText%7C&Search=</a>. A similar law has been
proposed in New Jersey. Bill A4909 (Sess. 2022-2023), <a href="https://legiscan.com/NJ/text/A4909/2022">https://legiscan.com/NJ/text/A4909/2022</a>. See also, Colorado SB 21-169,
Protecting Consumers from Unfair Discrimination in Insurance
Practices (2021) (requiring insurers to bias test big data systems,
including algorithms and predictive models, and to demonstrate
testing methods and nondiscriminatory results to the Colorado
Division of Insurance); State of Connecticut Insurance Dept., Notice
to All Entities and Persons Licensed by the Connecticut Insurance
Department Concerning the Usage of Big Data and Avoidance of
Discriminatory Practices (April 20, 2022) (expressing potential
regulatory concerns with ``[h]ow Big Data algorithms, predictive
models, and various processes are inventoried, risk assessed/ranked,
risk managed, validated for technical quality, and governed
throughout their life cycle to achieve the mandatory compliance''
with non-discrimination laws and reminding insurers to submit annual
data certifications), <a href="https://portal.ct.gov/-/media/CID/1_Notices/Technologie-and-Big-Data-Use-Notice.pdf">https://portal.ct.gov/-/media/CID/1_Notices/Technologie-and-Big-Data-Use-Notice.pdf</a>.
\31\ See, e.g., American Data Privacy and Protection Act, H.R.
8152, 117th Cong. Sec. 207(c) (2022) (proposing to require large
data holders using covered algorithms posing consequential risk of
harm to individuals or groups to conduct risk assessment and report
on risk mitigation measures); Algorithmic Accountability Act of
2022, H.R. 6580, 117th Cong. (2022) (would require covered entities
to produce impact assessments for the Federal Trade Commission).
\32\ See, e.g., Council Regulation 2016/679, of the European
Parliament and of the Council of Apr. 27, 2016 on the Protection of
Natural Persons with Regard to the Processing of Personal Data and
on the free Movement of Such Data, and Repealing Directive 95/46/EC
(General Data Protection Regulation), Art. 25 (implementing data
protection by design principles).
\33\ See, e.g., Cal. Civ. Code Sec. 1798.140, subd. (l), (h)
(effective Jan. 1, 2023) (regulating the use of a ``dark pattern''
defined as a ``user interface designed or manipulated with the
substantial effect of subverting or impairing user autonomy,
decision-making, or choice, as further defined by regulation'' and
noting that ``agreement obtained through use of dark patterns does
not constitute consent.'').
\34\ See, e.g., Treasury Board of Canada Secretariat,
Algorithmic Impact Assessment Tool, Government of Canada (modified
April 19, 2022), <a href="https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/responsible-use-ai/algorithmic-impact-assessment.html">https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/responsible-use-ai/algorithmic-impact-assessment.html</a>; Treasury Board of Canada
Secretariat, Directive on Automated Decision-Making, Government of
Canada (modified April 1, 2021), <a href="https://www.tbssct.canada.ca/pol/doc-eng.aspx?id=32592">https://www.tbssct.canada.ca/pol/doc-eng.aspx?id=32592</a>.
\35\ Responsible Artificial Intelligence Institute, <a href="https://www.responsible.ai/">https://www.responsible.ai/</a> (last visited Apr. 2, 2023).
\36\ Microsoft, Microsoft Responsible AI Standard, v2 General
Requirements (June 2022), <a href="https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2022/06/Microsoft-Responsible-AI-Standard-v2-General-Requirements-3.pdf">https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2022/06/Microsoft-Responsible-AI-Standard-v2-General-Requirements-3.pdf</a>.
\37\ Microsoft, Aether Data Documentation Template (Draft 08/25/
2022), <a href="https://www.microsoft.com/en-us/research/uploads/prod/2022/07/aether-datadoc-082522.pdf">https://www.microsoft.com/en-us/research/uploads/prod/2022/07/aether-datadoc-082522.pdf</a>. See also Timnit Gebru et. Al.,
Datasheets for Datasets, Communications of the ACM, Vol. 64, No. 12,
86- 92 (Dec. 2021).
\38\ Rolls Royce, Aletheia Framework, <a href="https://www.rolls-royce.com/innovation/the-aletheia-framework.aspx">https://www.rolls-royce.com/innovation/the-aletheia-framework.aspx</a> (last visited Mar.
3, 2023).
\39\ GitHub, Tensorflow/model-card-toolkit, <a href="https://github.com/tensorflow/model-card-toolkit">https://github.com/tensorflow/model-card-toolkit</a> (last visited Jan. 30, 2023) (``A
toolkit that streamlines and automates the generation of model
cards'').
---------------------------------------------------------------------------
Federal regulators have been addressing AI system risk management
in certain sectors for more than a decade. For example, the Federal
Reserve in 2011 issued SR-11-7 Guidance on Algorithmic Model Risk
[[Page 22436]]
Management, noting that reducing risks requires ``critical analysis by
objective, informed parties that can identify model limitations and
produce appropriate changes'' and, relatedly, the production of
testing, validation, and associated records for examination by
independent parties.\40\ As financial agencies continue to explore AI
accountability mechanisms in their areas,\41\ other federal agencies
such as the Equal Employment Opportunities Commission have begun to do
the same.\42\ Moreover, state regulators are considering compulsory AI
accountability mechanisms.\43\
---------------------------------------------------------------------------
\40\ Board of Governors of the Federal Reserve System,
Supervisory Guidance on Model Risk Management, Federal Reserve SR
Letter 11-7 (Apr. 4, 2011), <a href="https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm">https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm</a>.
\41\ Department of Treasury, Board of Governors of the Federal
Reserve System, Federal Deposit Insurance Corporation, Bureau of
Consumer Financial Protection, and National Credit Union
Administration, Request for Information and Comment on Financial
Institutions' Use of Artificial Intelligence, Including Machine
Learning, 86 FR 16837 (Mar. 31, 2021).
\42\ See U.S. Equal Employment Opportunity Commission, The
Americans with Disabilities Act and the Use of Software, Algorithms,
and Artificial Intelligence to Assess Job Applicants and Employees
(May 12, 2022) (issuing technical guidance on algorithmic employment
decisions in connection with the Americans with Disabilities Act),
<a href="https://www.eeoc.gov/laws/guidance/americans-disabilities-act-and-use-software-algorithms-and-artificial-intelligence">https://www.eeoc.gov/laws/guidance/americans-disabilities-act-and-use-software-algorithms-and-artificial-intelligence</a>.
\43\ See, e.g., Colorado Department of Regulatory Agencies
Division of Insurance, Draft Proposed New Regulation: Governance and
Risk Management Framework Requirements for Life Insurance Carriers'
Use of External Consumer Data and Information Sources, Algorithms
and Predictive models (Feb. 1, 2023), <a href="https://protect-us.mimecast.com/s/V0LqCVOVw1Hl6g5xSNSwGG?domain=lnks.gd">https://protect-us.mimecast.com/s/V0LqCVOVw1Hl6g5xSNSwGG?domain=lnks.gd</a>.
---------------------------------------------------------------------------
2. AI Audits and Assessments
AI systems are being used in human resources and employment,
finance, health care, education, housing, transportation, law
enforcement and security, and many other contexts that significantly
impact people's lives. The appropriate goal and method to advance AI
accountability will likely depend on the risk level, sector, use case,
and legal or regulatory requirements associated with the system under
examination. Assessments and audits are among the most common
mechanisms to provide assurance about AI system characteristics.
Guidance, academic, and regulatory documents use the terms
``assessments'' (including risk, impact, and conformity) and ``audits''
in various ways and without standard definition.\44\ Often in these
references, ``assessment'' refers to an entity's internal review of an
AI system to identify risks or outcomes. An ``audit'' often refers to
an external review of an AI system at a point in time to assess
performance against accepted benchmarks. Assessments and audits may
both be conducted on a continuous basis, and may be conducted either by
internal or external reviewers.
---------------------------------------------------------------------------
\44\ See, e.g., Louis An Yeung, Guidance for the Development of
AI Risk & Impact Assessments, Center for Long-Term Cybersecurity
(July 2021), at 5, <a href="https://cltc.berkeley.edu/wp-content/uploads/2021/08/AI_Risk_Impact_Assessments.pdf">https://cltc.berkeley.edu/wp-content/uploads/2021/08/AI_Risk_Impact_Assessments.pdf</a> (surveying definitions and
concluding that AI risk and impact assessments ``may be used
interchangeably.'').
---------------------------------------------------------------------------
Common areas of focus for AI audits and assessments include harmful
bias and discrimination, effectiveness and validity, data protection
and privacy, and transparency and explainability (how understandable AI
system predictions or decisions are to humans). For information
services like social media, large language and other generative AI
models, and search, audits and assessments may also cover harms related
to the distortion of communications through misinformation,
disinformation, deep fakes, privacy invasions, and other content-
related phenomena.\45\
---------------------------------------------------------------------------
\45\ Jack Bandy, Problematic Machine Behavior: A Systematic
Literature Review of Algorithm Audits, Proceedings of the ACM on
Human-Computer Interaction, Vol.5. No. 74, 1-34 (April 2021),
<a href="https://doi.org/10.1145/3449148">https://doi.org/10.1145/3449148</a> (identifying discrimination and
distortion as the most commonly audited-for outputs of algorithm
systems).
---------------------------------------------------------------------------
Audits may be conducted internally or by independent third
parties.\46\ An internal audit may be performed by the team that
developed the technology or by a separate team within the same entity.
Independent audits may range from ``black box'' adversarial audits
conducted without the help of the audited entity \47\ to ``white box''
cooperative audits conducted with substantial access to the relevant
models and processes.\48\ Audits may be made public or given limited
circulation, for example to regulators.\49\ They may be conducted by
professional experts or undertaken by impacted lay people.\50\
---------------------------------------------------------------------------
\46\ Responsible Artificial Intelligence Institute, Responsible
AI Certification Program--White Paper (Oct. 2022), <a href="https://assets.ctfassets.net/rz1q59puyoaw/5pyXogKSKNUKRkqOP4hRfy/5c5b525d0a77a1017643dcb6b5124634/RAII_Certification_Guidebook.pdf">https://assets.ctfassets.net/rz1q59puyoaw/5pyXogKSKNUKRkqOP4hRfy/5c5b525d0a77a1017643dcb6b5124634/RAII_Certification_Guidebook.pdf</a>.
\47\ Danae Metaxa et al., Auditing Algorithms: Understanding
Algorithmic Systems from the Outside In, ACL Digital Library (Nov.
25, 2021), <a href="https://dl.acm.org/doi/10.1561/1100000083">https://dl.acm.org/doi/10.1561/1100000083</a>.
\48\ See, e.g., Christo Wilson, et al., Building and Auditing
Fair Algorithms: A Case Study in Candidate Screening, FAccT '21
(March 1-10, 2021), <a href="https://evijit.github.io/docs/pymetrics_audit_FAccT.pdf">https://evijit.github.io/docs/pymetrics_audit_FAccT.pdf</a>.
\49\ See, e.g., Council of the District of Columbia, Stop
Discrimination by Algorithms Act of 2021, B24-558, <a href="https://oag.dc.gov/sites/default/files/2021-12/DC-Bill-SDAA-FINAL-to-file-.pdf">https://oag.dc.gov/sites/default/files/2021-12/DC-Bill-SDAA-FINAL-to-file-.pdf</a> (proposing law that would require audits of certain
algorithmic systems to be shared with the Attorney General of the
District of Columbia).
\50\ See, e.g., Michelle S. Lam et al., End-User Audits: A
System Empowering Communities to Lead Large-Scale Investigations of
Harmful Algorithmic Behavior, Proceedings of the ACM Human-Computer
Interaction, Vol. 6, Issue CSCW2, Article 512, 1-32 (November 2022),
<a href="https://doi.org/10.1145/3555625">https://doi.org/10.1145/3555625</a> (describing an ``end-user audit''
deployed in the content moderation setting to audit Perspective API
toxicity predictions).
---------------------------------------------------------------------------
While some audits and assessments may be limited to technical
aspects of a particular model, it is widely understood that AI models
are part of larger systems, and these systems are embedded in socio-
technical contexts. How models are implemented in practice could depend
on model interactions, employee training and recruitment, enterprise
governance, stakeholder mapping and engagement,\51\ human agency, and
many other factors.\52\ The most useful audits and assessments of these
systems, therefore, should extend beyond the technical to broader
questions about governance and purpose. These might include whether the
people affected by AI systems are meaningfully consulted in their
design \53\ and whether the choice to use the technology in the first
place was well-considered.\54\
---------------------------------------------------------------------------
\51\ See, e.g., Alan Turing Institute, Human Rights, Democracy,
and the Rule of Law Assurance Framework for AI Systems: A Proposal
Prepared for the Council of Europe's Ad hoc Committee on Artificial
Intelligence, 211-223 (2021), <a href="https://rm.coe.int/huderaf-coe-final-1-2752-6741-5300-v-1/1680a3f688">https://rm.coe.int/huderaf-coe-final-1-2752-6741-5300-v-1/1680a3f688</a> (exemplifying what stakeholder
mapping might entail).
\52\ See, e.g., Inioluwa Deborah Raji et al., Closing the AI
Accountability Gap: Defining an End-to-End Framework for Internal
Algorithmic Auditing, FAT* '20: Proceedings of the 2020 Conference
on Fairness, Accountability, and Transparency, 33-44, 37 (January
2020), <a href="https://doi.org/10.1145/3351095.3372873">https://doi.org/10.1145/3351095.3372873</a>; Inioluwa Deborah
Raji et al., Outsider Oversight: Designing a Third Party Audit
Ecosystem for AI Governance, AIES '22: Proceedings of the 2022 AAAI/
ACM Conference on AI, Ethics, and Society 560, 566 (June 9, 2022),
<a href="https://dl.acm.org/doi/pdf/10.1145/3514094.3534181">https://dl.acm.org/doi/pdf/10.1145/3514094.3534181</a>.
\53\ Adriano Koshiyama et al., Towards Algorithm Auditing: A
Survey on Managing Legal, Ethical and Technological Risks of AI, ML
and Associated Algorithms (Feb. 2021), <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3778998">https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3778998</a>.
\54\ See, e.g., Alene Rhea et al., Resume Format, LinkedIn URLs
and Other Unexpected Influences on AI Personality Prediction in
Hiring: Results of an Audit, Proceedings of the 2022 AAAI/ACM
Conference on AI, Ethics, and Society (AIES '22), Association for
Computing Machinery, 572-587 (July 2022), <a href="https://doi.org/10.1145/3514094.3534189">https://doi.org/10.1145/3514094.3534189</a> (finding that personality tests used in automated
hiring decisions cannot be considered valid); Sarah Bird,
Responsible AI Investments and Safeguards for Facial Recognition,
Microsoft Azure, (June 21, 2022), <a href="https://azure.microsoft.com/en-us/blog/responsible-ai-investments-and-safeguards-for-facial-recognition">https://azure.microsoft.com/en-us/blog/responsible-ai-investments-and-safeguards-for-facial-recognition</a> (announcing phase-out of emotion recognition from Azure
Face API facial recognition services because of lack of evidence of
effectiveness).
---------------------------------------------------------------------------
Some accountability mechanisms may use legal standards as a
baseline. For
[[Page 22437]]
example, standards for employment discrimination on the basis of sex,
religion, race, color, disability, or national origin may serve as
benchmarks for AI audits,\55\ as well as for legal compliance
actions.\56\ Civil society groups are developing additional operational
guidance based on such standards.\57\ Some firms and startups are
beginning to offer testing of AI models on a technical level for bias
and/or disparate impact. It should be recognized that for some features
of trustworthy AI, consensus standards may be difficult or impossible
to create.
---------------------------------------------------------------------------
\55\ See, e.g., Christo Wilson et. al., Building and Auditing
Fair Algorithms: A Case Study in Candidate Screening, FAccT '21 (Mar
1-10, 2021), <a href="https://evijit.github.io/docs/pymetrics_audit_FAccT.pdf">https://evijit.github.io/docs/pymetrics_audit_FAccT.pdf</a>
(auditing the claims of an automated hiring tool that it satisfied
Title VII of the Civil Rights Act's four-fifths rule). C.f. Pauline
Kim, Data-Driven Discrimination at Work, 58 Wm. & Mary L. Rev. 857
(2017) (addressing limitations of Title VII liability provisions as
an adequate means to prevent classification bias in hiring); U.S.
Equal Employment Opportunity Commission, Navigating Employment
Discrimination in AI and Automated Systems: A New Civil Rights
Frontier, Meetings of the Commission, Testimony of Manish Raghavan,
(Jan. 31, 2023), <a href="https://www.eeoc.gov/meetings/meeting-january-31-2023-navigating-employment-discrimination-ai-and-automated-systems-new/raghavan">https://www.eeoc.gov/meetings/meeting-january-31-2023-navigating-employment-discrimination-ai-and-automated-systems-new/raghavan</a> (highlighting data-related and other challenges of
auditing AI systems used in hiring according to the four-fifths
rule).
\56\ See, e.g., U.S. Equal Employment Opportunity Commission,
The Americans with Disabilities Act and the Use of Software,
Algorithms, and Artificial Intelligence to Assess Job Applicants and
Employees (May 12, 2022) (issuing technical guidance on algorithmic
employment decisions in connection with the Americans with
Disabilities Act), <a href="https://www.eeoc.gov/laws/guidance/americans-disabilities-act-and-use-software-algorithms-and-artificial-intelligence">https://www.eeoc.gov/laws/guidance/americans-disabilities-act-and-use-software-algorithms-and-artificial-intelligence</a>; U.S. Department of Justice, Justice Department Files
Statement of Interest in Fair Housing Act Case Alleging Unlawful
Algorithm-Based Tenant Screening Practices, Press Release (Jan. 9,
2023), <a href="https://www.justice.gov/opa/pr/justice-department-files-statement-interest-fair-housing-act-case-alleging-unlawful-algorithm">https://www.justice.gov/opa/pr/justice-department-files-statement-interest-fair-housing-act-case-alleging-unlawful-algorithm</a>.
\57\ See, e.g., Matt Scherer and Ridhi Shetty, Civil Rights
Standards for 21st Century Employment Selection Procedures, Center
for Democracy and Technology, (Dec. 2022), <a href="https://cdt.org/insights/civil-rights-standards-for-21st-century-employment-selection-procedures">https://cdt.org/insights/civil-rights-standards-for-21st-century-employment-selection-procedures</a> (guidance on pre-deployment and post-deployment audits
and assessments of algorithmic tools in the employment context to
detect and mitigate adverse impacts on protected classes).
---------------------------------------------------------------------------
3. Policy Considerations for the AI Accountability Ecosystem
Among the challenges facing policymakers in the AI accountability
space are tradeoffs among trustworthy AI goals, barriers to
implementing accountability mechanisms, complex AI lifecycle and value
chains, and difficulties with standardization and measurement.
Accountability ecosystems that might serve as models for AI systems
range from financial assurance, where there are relatively uniform
financial auditing practices,\58\ to environmental, social, and
governance (ESG) assurance, where standards are quite diverse.\59\
Considering the range of trustworthy AI system goals and deployment
contexts, it is likely that at least in the near term, AI
accountability mechanisms will be heterogeneous. Commentators have
raised concerns about the validity of certain accountability measures.
Some audits and assessments, for example, may be scoped too narrowly,
creating a ``false sense'' of assurance.\60\ Given this risk, it is
imperative that those performing AI accountability tasks are
sufficiently qualified to provide credible evidence that systems are
trustworthy.\61\
---------------------------------------------------------------------------
\58\ See generally, Financial Accounting Standards Board,
Generally Accepted Accounting Principles, <a href="http://asc.fasb.org/home">http://asc.fasb.org/home</a>.
\59\ See generally, Elizabeth Pollman, ``Corporate Social
Responsibility, ESG, and Compliance'' in Benjamin Van Rooij and D.
Daniel Sokol (Eds.) The Cambridge Handbook of Compliance (2021)
(``Companies have flexibility to create their own structures for
internal governance, their own channels for stakeholder engagement,
their own selection of third-party guidelines or standards, and in
many jurisdictions, their own level of disclosure.'').
\60\ See, e.g., Brandie Nonnecke and Philip Dawson, Human Rights
Implications of Algorithmic Impact Assessments: Priority
Considerations to Guide Effective Development and Use, Harvard
Kennedy School--Carr Center for Human Rights Policy, Carr Center
Discussion Paper (Oct. 21, 2021), <a href="https://carrcenter.hks.harvard.edu/files/cchr/files/nonnecke_and_dawson_human_rights_implications.pdf">https://carrcenter.hks.harvard.edu/files/cchr/files/nonnecke_and_dawson_human_rights_implications.pdf</a>.
\61\ See, e.g., Sasha Costanza-Chock et al., Who Audits the
Auditors? Recommendations from a Field Scan of the Algorithmic
Auditing Ecosystem, FaccT'22: Proceedings of the 2022 Association
for Computing Machinery Conference on Fairness, Accountability, and
Transparency, 1571-1583 (June 21-24, 2022), <a href="https://doi.org/10.1145/3531146.3533213">https://doi.org/10.1145/3531146.3533213</a>.
---------------------------------------------------------------------------
There may be other barriers to providing adequate and meaningful
accountability. Some mechanisms may require datasets built with
sensitive data that puts privacy or security at risk, raising questions
about trade-offs among different values. In addition, there may be
insufficient access to the subject system or its data, insufficient
qualified personnel to audit systems, and/or inadequate audit or
assessment standards to benchmark the work.\62\
---------------------------------------------------------------------------
\62\ Centre for Data Ethics and Innovation, Industry Temperature
Check: Barriers and Enablers to AI Assurance (Dec. 2022), <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1122115/Industry_Temperature_Check_-_Barriers_and_Enablers_to_AI_Assurance.pdf">https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1122115/Industry_Temperature_Check_-_Barriers_and_Enablers_to_AI_Assurance.pdf</a>.
---------------------------------------------------------------------------
Timing is another complication for AI accountability, and
especially for providing assurance of AI systems. The point in an AI
system lifecycle at which an audit or assessment is conducted, for
example, will impact what questions it answers, how much accountability
it provides, and to whom that accountability is offered. The General
Services Administration has depicted an AI lifecycle that starts with
pre-design (e.g., problem specification, data identification, use case
selection), progresses through design and development (e.g., model
selection, training, and testing), and then continues through
deployment.\63\ Other federal agencies use substantially similar
lifecycle schema.\64\ Throughout this lifecycle, dynamic interactions
with data and iterative learning create many moments for evaluation of
specific models and the AI system as a whole.\65\
---------------------------------------------------------------------------
\63\ For other lifecycle models, see International Organization
for Standardization, Information Technology--Artificial
Intelligence--AI System Life Cycle Processes (ISO/IEC DIS 5338),
Edition 1, <a href="https://www.iso.org/standard/81118.html">https://www.iso.org/standard/81118.html</a> (under
development as of Oct. 22, 2022).
\64\ See, e.g., U.S. Department of Energy, DOE AI Risk
Management Playbook, <a href="https://www.energy.gov/ai/doe-ai-risk-management-playbook-airmp">https://www.energy.gov/ai/doe-ai-risk-management-playbook-airmp</a> (last visited Jan 30, 2023) (identifying
AI lifecycle stages as (0) problem identification, (1) supply chain,
(2) data acquisition, (3) model development, (4) model deployment,
and (5) model performance).
\65\ See generally, Norberto Andrade et al., Artificial
Intelligence Act: A Policy Prototyping Experiment--Operationalizing
the Requirements for AI Systems--Part I, 24-33 (Nov. 2022) <a href="https://openloop.org/reports/2022/11/Artificial_Intelligence_Act_A_Policy_Prototyping_Experiment_">https://openloop.org/reports/2022/11/Artificial_Intelligence_Act_A_Policy_Prototyping_Experiment_</a>Operation
alizing_Reqs_Part1.pdf (providing examples of interactions between
data and algorithmic outputs along the AI lifecycle and value
chain).
---------------------------------------------------------------------------
The AI value chain, including data sources, AI tools, and the
relationships among developers and customers, can also be complicated
and impact accountability. Sometimes a developer will train an AI tool
on data provided by a customer, or the customer may in turn use the
tool in ways the developer did not foresee or intend. Data quality is
an especially important variable to examine in AI accountability.\66\ A
developer training an AI tool on a customer's data may not be able to
tell how that data was collected or organized, making it difficult for
the developer to assure the AI system. Alternatively, the customer may
use the tool in ways the developer did not foresee or intend, creating
risks for the developer wanting to manage downstream use of the tool.
When responsibility along this chain of AI system development and
deployment is fractured, auditors must decide whose
[[Page 22438]]
data and which relevant models to analyze, whose decisions to examine,
how nested actions fit together, and what is within the audit's frame.
---------------------------------------------------------------------------
\66\ See, e.g., European Union Agency for Fundamental Rights,
Data Quality and Artificial Intelligence--Mitigating Bias and Error
to Protect Fundamental Rights (June 7, 2019), <a href="https://fra.europa.eu/sites/default/files/fra_uploads/fra-2019-data-quality-and-ai_en.pdf">https://fra.europa.eu/sites/default/files/fra_uploads/fra-2019-data-quality-and-ai_en.pdf</a>
(noting the importance for managing downstream risk of high-quality
data inputs, including completeness, accuracy, consistency,
timeliness, duplication, validity, availability, and whether the
data are fit for the purpose).
---------------------------------------------------------------------------
Public and private bodies are working to develop metrics or
benchmarks for trustworthy AI where needed.\67\ Standards-setting
bodies such as IEEE \68\ and ISO,\69\ as well as research organizations
focusing on measurements and standards, notably NIST,\70\ are devising
technical standards that can improve AI governance and risk management
and support AI accountability. These include standards for general
technology process management (e.g., risk management), standards
applicable across technologies and applications (e.g., transparency and
anti-bias), and standards for particular technologies (e.g., emotion
detection and facial recognition). For some trustworthy AI goals, it
will be difficult to harmonize standards across jurisdictions or within
a standard-setting body, particularly if the goal involves contested
moral and ethical judgements. In some contexts, not deploying AI
systems at all will be the means to achieve the stated goals.
---------------------------------------------------------------------------
\67\ See, e.g., Centre for Data Ethics and Innovation, The
Roadmap to an Effective AI Assurance Ecosystem--extended version
(Dec 8, 2021), <a href="https://www.gov.uk/government/publications/the-roadmap-to-an-effective-ai-assurance-ecosystem/the-roadmap-to-an-effective-ai-assurance-ecosystem-extended-version">https://www.gov.uk/government/publications/the-roadmap-to-an-effective-ai-assurance-ecosystem/the-roadmap-to-an-effective-ai-assurance-ecosystem-extended-version</a>; Digital
Regulation Cooperation Forum, Auditing algorithms: The Existing
Landscape, Role of Regulators and Future Outlook (Sept. 23, 2022),
<a href="https://www.gov.uk/government/publications/findings-from-the-drcf-algorithmic-processing-workstream-spring-2022/auditing-algorithms-the-existing-landscape-role-of-regulators-and-future-outlook">https://www.gov.uk/government/publications/findings-from-the-drcf-algorithmic-processing-workstream-spring-2022/auditing-algorithms-the-existing-landscape-role-of-regulators-and-future-outlook</a>.
\68\ See e.g., Institute of Electrical and Electronics Engineers
Standards Association, CertifAIEd, <a href="https://engagestandards.ieee.org/ieeecertifaied.html">https://engagestandards.ieee.org/ieeecertifaied.html</a> (last visited Jan 31, 2023) (a certification
program for assessing ethics of Autonomous Intelligent Systems).
\69\ See, e.g., International Organization for Standardization,
Information Technology--Artificial intelligence--Transparency
Taxonomy of AI Systems (ISO/IEC AWI 12792), Edition 1, <a href="https://www.iso.org/standard/84111.html">https://www.iso.org/standard/84111.html</a> (under development as of Jan. 30,
2023).
\70\ See, e.g., NIST, AI Standards: Federal Engagement, <a href="https://www.nist.gov/artificial-intelligence/ai-standards-federal-engagement">https://www.nist.gov/artificial-intelligence/ai-standards-federal-engagement</a>
(last visited Jan 31, 2023) (committing to standards work related to
accuracy, explainability and interpretability, privacy, reliability,
robustness, safety, security resilience, and anti-bias so as to
``help the United States to speed the pace of reliable, robust, and
trustworthy AI technology development.'').
---------------------------------------------------------------------------
To address these barriers and complexities, commentators have
suggested that policymakers and others can foster AI accountability by:
mandating impact assessments \71\ and audits,\72\ defining
``independence'' for third-party audits,\73\ setting procurement
standards,\74\ incentivizing effective audits and assessments through
bounties, prizes, and subsidies,\75\ creating access to data necessary
for AI audits and assessments,\76\ creating consensus standards for AI
assurance,\77\ providing auditor certifications,\78\ and making test
data available for use.\79\ We particularly seek input on these policy
proposals and mechanisms.
---------------------------------------------------------------------------
\71\ See, e.g., Andrew D. Selbst, An Institutional View of
Algorithmic Impact Assessments, 35 Harv. J.L. & Tech. 117 (2021).
\72\ See, e.g., Alex Engler, How the Biden Administration Should
Tackle AI Oversight, Brookings (Dec. 10, 2020), <a href="https://www.brookings.edu/research/how-the-biden-administration-should-tackle-ai-oversight">https://www.brookings.edu/research/how-the-biden-administration-should-tackle-ai-oversight</a> (advocating government audits of ``highly
impactful, large-scale AI systems''); Danielle Keats Citron and
Frank Pasquale, The Scored Society: Due Process for Automated
Predictions, 89 Wash U. L. Rev.1, 20-22 (2014) (advocating audit
requirements for algorithmic systems used in employment, insurance,
and health care contexts).
\73\ See, e.g., Ifeoma Ajunwa, An Auditing Imperative for
Automated Hiring Systems, 34 Harv. J. L. & Tech 621, 668-670 (2021).
\74\ See, e.g., Deirdre K. Mulligan and Kenneth A. Bamberger,
Procurement as Policy: Administrative Process for Machine Learning,
34 Berkeley Tech. L. J. 773, 841-44 (2019) (discussing public
procurement processes); Jennifer Cobbe et al., Reviewable Automated
Decision-Making: A Framework for Accountable Algorithmic Systems,
Proceedings of the 2021 Association for Computing Machinery
Conference on Fairness, Accountability, and Transparency, 598-609,
604 (March 2021), <a href="https://dl.acm.org/doi/10.1145/3442188.3445921">https://dl.acm.org/doi/10.1145/3442188.3445921</a>
(discussing relevance of procurement records to accountability
relationships).
\75\ See, e.g., Miles Brundage et al., Toward Trustworthy AI
Development: Mechanisms for Supporting Verifiable Claims, arXiv, 16-
17, (April 20, 2020) <a href="https://arxiv.org/abs/2004.07213">https://arxiv.org/abs/2004.07213</a> (proposing the
expanded use of bounties to help detect safety, bias, privacy, and
other problems with AI systems); see also Rumman Chowdhury and Jutta
Williams, Introducing Twitter's First Algorithmic Bias Bounty
Challenge, Twitter Engineering (Jul. 30, 2021), <a href="https://blog.twitter.com/engineering/en_us/topics/insights/2021/algorithmic-bias-bounty-challenge">https://blog.twitter.com/engineering/en_us/topics/insights/2021/algorithmic-bias-bounty-challenge</a>.
\76\ See, e.g., Sonia Gonz[aacute]lez-Bail[oacute]n, & Yphtach
Lelkes, Do Social Media Undermine Social Cohesion? A Critical
Review, Social Issues and Policy Review, Vol. 17, Issue 1, 1-180, 21
(2022), <a href="https://doi.org/10.1111/sipr.12091">https://doi.org/10.1111/sipr.12091</a> (arguing that for
investigations of social media algorithms, ``[p]olicy makers should
consider sponsoring academic-industry partnerships allowing
researchers to access this research and the data generated in the
process to produce evidence of public value while securing
privacy'').
\77\ See, e.g., Jakob M[ouml]kander and Maria Axente. Ethics-
Based Auditing of Automated Decision-Making Systems: Intervention
Points and Policy Implications, AI & Society, 28, 153-171 (Oct.
2021), <a href="https://doi.org/10.1007/s00146-021-01286-x">https://doi.org/10.1007/s00146-021-01286-x</a>.
\78\ See, e.g., United Nations Educational, Scientific and
Cultural Organization (UNESCO), Recommendation on the Ethics of
Artificial Intelligence (Nov. 23, 2021) at 27, <a href="https://unesdoc.unesco.org/ark:/48223/pf0000380455">https://unesdoc.unesco.org/ark:/48223/pf0000380455</a> (``Member States are
encouraged to . . . consider forms of soft governance such as a
certification mechanism for AI systems and the mutual recognition of
their certification, according to the sensitivity of the application
domain and expected impact on human rights, the environment and
ecosystems, and other ethical considerations . . . [including]
different levels of audit of systems, data, and adherence to ethical
guidelines and to procedural requirements in view of ethical
aspects.'').
\79\ See, e.g., National Artificial Intelligence Research
Resource Task Force, Strengthening and Democratizing the U.S.
Artificial Intelligence Innovation Ecosystem: An Implementation Plan
for a National Artificial Intelligence Research Resource, 32-36
(Jan. 2023), <a href="https://www.ai.gov/wp-content/uploads/2023/01/NAIRR-TF-Final-Report-2023.pdf">https://www.ai.gov/wp-content/uploads/2023/01/NAIRR-TF-Final-Report-2023.pdf</a> (proposing the federal curation of datasets
for use in training and testing AI systems).
---------------------------------------------------------------------------
Instructions for Commenters:
Through this Request for Comment, we hope to gather information on
the following questions. These are not exhaustive, and commenters are
invited to provide input on relevant questions not asked below.
Commenters are not required to respond to all questions. When
responding to one or more of the questions below, please note in the
text of your response the number of the question to which you are
responding. Commenters should include a page number on each page of
their submissions. Commenters are welcome to provide specific
actionable proposals, rationales, and relevant facts.
Please do not include in your comments information of a
confidential nature, such as sensitive personal information or
proprietary information. All comments received are a part of the public
record and will generally be posted to <a href="http://Regulations.gov">Regulations.gov</a> without change.
All personal identifying information (e.g., name, address) voluntarily
submitted by the commenter may be publicly accessible.
Questions
AI Accountability Objectives
1. What is the purpose of AI accountability mechanisms such as
certifications, audits, and assessments? Responses could address the
following:
a. What kinds of topics should AI accountability mechanisms cover?
How should they be scoped?
b. What are assessments or internal audits most useful for? What
are external assessments or audits most useful for?
c. An audit or assessment may be used to verify a claim, verify
compliance with legal standards, or assure compliance with non-binding
trustworthy AI goals. Do these differences impact how audits or
assessments are structured, credentialed, or communicated?
d. Should AI audits or assessments be folded into other
accountability mechanisms that focus on such goals as human rights,
privacy protection, security, and diversity, equity, inclusion, and
access? Are there
[[Page 22439]]
benchmarks for these other accountability mechanisms that should inform
AI accountability measures?
e. Can AI accountability practices have meaningful impact in the
absence of legal standards and enforceable risk thresholds? What is the
role for courts, legislatures, and rulemaking bodies?
2. Is the value of certifications, audits, and assessments mostly
to promote trust for external stakeholders or is it to change internal
processes? How might the answer influence policy design?
3. AI accountability measures have been proposed in connection with
many different goals, including those listed below. To what extent are
there tradeoffs among these goals? To what extent can these inquiries
be conducted by a single team or instrument?
a. The AI system does not substantially contribute to harmful
discrimination against people.
b. The AI system does not substantially contribute to harmful
misinformation, disinformation, and other forms of distortion and
content-related harms.
c. The AI system protects privacy.
d. The AI system is legal, safe, and effective.
e. There has been adequate transparency and explanation to affected
people about the uses, capabilities, and limitations of the AI system.
f. There are adequate human alternatives, consideration, and
fallbacks in place throughout the AI system lifecycle.
g. There has been adequate consultation with, and there are
adequate means of contestation and redress for, individuals affected by
AI system outputs.
h. There is adequate management within the entity deploying the AI
system such that there are clear lines of responsibility and
appropriate skillsets.
4. Can AI accountability mechanisms effectively deal with systemic
and/or collective risks of harm, for example, with respect to worker
and workplace health and safety, the health and safety of marginalized
communities, the democratic process, human autonomy, or emergent risks?
5. Given the likely integration of generative AI tools such as
large language models (e.g., ChatGPT) or other general-purpose AI or
foundational models into downstream products, how can AI accountability
mechanisms inform people about how such tools are operating and/or
whether the tools comply with standards for trustworthy AI? \80\
---------------------------------------------------------------------------
\80\ See, e.g., Jakob M[ouml]kander et. al., Auditing Large
Language Models: A Three-layered Approach (prepring 2003), ArXiv,
<a href="https://diu.org/10.48550/ARXIV.2302.08500">https://diu.org/10.48550/ARXIV.2302.08500</a>.
---------------------------------------------------------------------------
6. The application of accountability measures (whether voluntary or
regulatory) is more straightforward for some trustworthy AI goals than
for others. With respect to which trustworthy AI goals are there
existing requirements or standards? Are there any trustworthy AI goals
that are not amenable to requirements or standards? How should
accountability policies, whether governmental or non-governmental,
treat these differences?
7. Are there ways in which accountability mechanisms are unlikely
to further, and might even frustrate, the development of trustworthy
AI? Are there accountability mechanisms that unduly impact AI
innovation and the competitiveness of U.S. developers?
8. What are the best definitions of and relationships between AI
accountability, assurance, assessments, audits, and other relevant
terms?
Existing Resources and Models
9. What AI accountability mechanisms are currently being used? Are
the accountability frameworks of certain sectors, industries, or market
participants especially mature as compared to others? Which industry,
civil society, or governmental accountability instruments, guidelines,
or policies are most appropriate for implementation and
operationalization at scale in the United States? Who are the people
currently doing AI accountability work?
10. What are the best definitions of terms frequently used in
accountability policies, such as fair, safe, effective, transparent,
and trustworthy? Where can terms have the same meanings across sectors
and jurisdictions? Where do terms necessarily have different meanings
depending on the jurisdiction, sector, or use case?
11. What lessons can be learned from accountability processes and
policies in cybersecurity, privacy, finance, or other areas? \81\
---------------------------------------------------------------------------
\81\ See, e.g., Megan Gray, Understanding and Improving Privacy
`Audits' Under FTC Orders (April 18, 2018), at 4-8, <a href="http://doi.org/10.2139/ssrn.3165143">http://doi.org/10.2139/ssrn.3165143</a> (critquing the implementation of third-party
privacy audit mandates). For an example of more recent provisions
for privacy audits, see United States v. Epic Games, Stipulated
Order for Permanent Injunction, Civ. No. 5:22-cv-00518-BO (E.D.N.C.
Dec. 19, 2022), 22-25 (requiring assessments by independent third-
party auditors in a children's privacy settlement), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesSettlement.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesSettlement.pdf</a>.
---------------------------------------------------------------------------
12. What aspects of the United States and global financial
assurance systems provide useful and achievable models for AI
accountability?
13. What aspects of human rights and/or industry Environmental,
Social, and Governance (ESG) assurance systems can and should be
adopted for AI accountability?
14. Which non-U.S. or U.S. (federal, state, or local) laws and
regulations already requiring an AI audit, assessment, or other
accountability mechanism are most useful and why? Which are least
useful and why?
Accountability Subjects
15. The AI value or supply chain is complex, often involving open
source and proprietary products and downstream applications that are
quite different from what AI system developers may initially have
contemplated. Moreover, training data for AI systems may be acquired
from multiple sources, including from the customer using the
technology. Problems in AI systems may arise downstream at the
deployment or customization stage or upstream during model development
and data training.
a. Where in the value chain should accountability efforts focus?
b. How can accountability efforts at different points in the value
chain best be coordinated and communicated?
c. How should vendors work with customers to perform AI audits and/
or assessments? What is the role of audits or assessments in the
commercial and/or public procurement process? Are there specific
practices that would facilitate credible audits (e.g., liability
waivers)?
d. Since the effects and performance of an AI system will depend on
the context in which it is deployed, how can accountability measures
accommodate unknowns about ultimate downstream implementation?
16. The lifecycle of any given AI system or component also presents
distinct junctures for assessment, audit, and other measures. For
example, in the case of bias, it has been shown that ``[b]ias is
prevalent in the assumptions about which data should be used, what AI
models should be developed, where the AI system should be placed--or if
AI is required at all.'' \82\ How should AI accountability mechanisms
consider the AI lifecycle? Responses could address the following:
---------------------------------------------------------------------------
\82\ Reva Schwartz et al., Towards a Standard for Identifyng and
Managing Bias in Artificial Intelligence, NIST Special Publication
1270, at 6, <a href="https://doi.or/10.6028/NIST.SP.1270">https://doi.or/10.6028/NIST.SP.1270</a>.
---------------------------------------------------------------------------
a. Should AI accountability mechanisms focus narrowly on the
technical characteristics of a defined model and relevant data? Or
should they feature other aspects of the socio-
[[Page 22440]]
technical system, including the system in which the AI is embedded?
\83\ When is the narrower scope better and when is the broader better?
How can the scope and limitations of the accountability mechanism be
effectively communicated to outside stakeholders?
---------------------------------------------------------------------------
\83\ See, generally, Inioluwa Deborah Raji and Joy Buolamwini,
Actionable Auditing: Investigating the Impat of Publicly Naming
Biased Performance Results of Commercial AI Products, AIES 2019--
Proceedings of the 2019 AAAI/ACM Conference on AI, Ethics, and
Society, 429-435 (2019), <a href="https://doi.org/10.1145/3306618.3314244">https://doi.org/10.1145/3306618.3314244</a>
(discussing scoping questions).
---------------------------------------------------------------------------
b. How should AI audits or assessments be timed? At what stage of
design, development, and deployment should they take place to provide
meaningful accountability?
c. How often should audits or assessments be conducted, and what
are the factors that should inform this decision? How can entities
operationalize the notion of continuous auditing and communicate the
results?
d. What specific language should be incorporated into governmental
or non-governmental policies to secure the appropriate timing of audits
or assessments?
17. How should AI accountability measures be scoped (whether
voluntary or mandatory) depending on the risk of the technology and/or
of the deployment context? If so, how should risk be calculated and by
whom?
18. Should AI systems be released with quality assurance
certifications, especially if they are higher risk?
19. As governments at all levels increase their use of AI systems,
what should the public expect in terms of audits and assessments of AI
systems deployed as part of public programs? Should the accountability
practices for AI systems deployed in the public sector differ from
those used for private sector AI? How can government procurement
practices help create a productive AI accountability ecosystem?
Accountability Inputs and Transparency
20. What sorts of records (e.g., logs, versions, model selection,
data selection) and other documentation should developers and deployers
of AI systems keep in order to support AI accountability? \84\ How long
should this documentation be retained? Are there design principles
(including technical design) for AI systems that would foster
accountability-by-design?
---------------------------------------------------------------------------
\84\ See, e.g., Miles Brundage et al., Toward Trustworthy AI
Development: Mechanisms for Supporting Verifiable Claims at 24-25
(2020), http://www,<a href="http://twardtrustworthyai.com/">twardtrustworthyai.com/</a> (last visited Jan. 30,
2023) (discussing audit trail components). See also AI Risk Mgmt.
Framework 1.0, supra note 11 at 15 (noting that transparent AI
informs individuals about system characteristics and functions
ranging from ``design decisions and training data to model training,
the struture of the model, its intended use cases, and how and when
deployment, post-deployment, or end user decisions were made and by
whom''); id. at 16 (defining related terms: ``Explainability refers
to a representation of the mechanisms underlying AI systems'
operation, whereas interpretability refers to the meaning of AI
systems' output in the context of their designed functional
purposes'').
---------------------------------------------------------------------------
21. What are the obstacles to the flow of information necessary for
AI accountability either within an organization or to outside
examiners? What policies might ease researcher and other third-party
access to inputs necessary to conduct AI audits or assessments?
22. How should the accountability process address data quality and
data voids of different kinds? For example, in the context of automated
employment decision tools, there may be no historical data available
for assessing the performance of a newly deployed, custom-built tool.
For a tool deployed by other firms, there may be data a vendor has
access to, but the audited firm itself lacks. In some cases, the vendor
itself may have intentionally limited its own data collection and
access for privacy and security purposes. How should AI accountability
requirements or practices deal with these data issues? What should be
the roles of government, civil society, and academia in providing
useful data sets (synthetic or otherwise) to fill gaps and create
equitable access to data?
23. How should AI accountability ``products'' (e.g., audit results)
be communicated to different stakeholders? Should there be standardized
reporting within a sector and/or across sectors? How should the
translational work of communicating AI accountability results to
affected people and communities be done and supported?
Barriers to Effective Accountability
24. What are the most significant barriers to effective AI
accountability in the private sector, including barriers to independent
AI audits, whether cooperative or adversarial? What are the best
strategies and interventions to overcome these barriers?
25. Is the lack of a general federal data protection or privacy law
a barrier to effective AI accountability?
26. Is the lack of a federal law focused on AI systems a barrier to
effective AI accountability?
27. What is the role of intellectual property rights, terms of
service, contractual obligations, or other legal entitlements in
fostering or impeding a robust AI accountability ecosystem? For
example, do nondisclosure agreements or trade secret protections impede
the assessment or audit of AI systems and processes? If so, what legal
or policy developments are needed to ensure an effective accountability
framework?
28. What do AI audits and assessments cost? Which entities should
be expected to bear these costs? What are the possible consequences of
AI accountability requirements that might impose significant costs on
regulated entities? Are there ways to reduce these costs? What are the
best ways to consider costs in relation to benefits?
29. How does the dearth of measurable standards or benchmarks
impact the uptake of audits and assessments?
AI Accountability Policies
30. What role should government policy have, if any, in the AI
accountability ecosystem? For example: a. Should AI accountability
policies and/or regulation be sectoral or horizontal, or some
combination of the two?
b. Should AI accountability regulation, if any, focus on inputs to
audits or assessments (e.g., documentation, data management, testing
and validation), on increasing access to AI systems for auditors and
researchers, on mandating accountability measures, and/or on some other
aspect of the accountability ecosystem?
c. If a federal law focused on AI systems is desirable, what
provisions would be particularly important to include? Which agency or
agencies should be responsible for enforcing such a law, and what
resources would they need to be successful?
d. What accountability practices should government (at any level)
itself mandate for the AI systems the government uses?
31. What specific activities should government fund to advance a
strong AI accountability ecosystem?
32. What kinds of incentives should government explore to promote
the use of AI accountability measures?
33. How can government work with the private sector to incentivize
the best documentation practices?
34. Is it important that there be uniformity of AI accountability
requirements and/or practices across the United States? Across global
jurisdictions? If so, is it important only within a sector or across
sectors? What is the best way to achieve it? Alternatively, is
harmonization or interoperability sufficient and what is the best way
to achieve that?
[[Page 22441]]
Dated: April 7, 2023.
Stephanie Weiner,
Acting Chief Counsel, National Telecommunications and Information
Administration.
[FR Doc. 2023-07776 Filed 4-12-23; 8:45 am]
BILLING CODE 3510-60-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on April 13, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.