ICLE Comments on Managing Misuse Risk for Dual-Use Foundation Models
I. Introduction
We thank the National Institute of Standards and Technology (NIST) for the opportunity to comment on the initial public draft of AI 800-1, “Managing Misuse Risk for Dual-Use Foundation Models” (“Draft”). NIST’s efforts to address the potential risks associated with advanced artificial-intelligence (AI) systems are commendable, but several aspects of the proposed approach raise significant areas of concern.
Those concerns are outlined in these comments, which focus on what we believe to be the draft’s overly restrictive risk-assessment model and problematic dual-use classification, as well as the potential for negative effects on open-source development. If implemented as proposed, the framework could stifle innovation, limit the economic benefits of AI, and potentially undermine U.S. leadership in AI development.
NIST should instead pursue a harm-focused approach based on the concept of “regulation as a discovery process,” which would more effectively balance the need for responsible AI development with the imperative to foster innovation. Our recommendations in this area are designed to contribute to developing a more nuanced, flexible, and effective regulatory framework for AI that aligns with the rapidly evolving nature of these transformative technologies.
II. Regulation of ‘Dual-Use Foundation Models’
A. Overly Restrictive Risk Assessment
One critical issue with the draft is the approach it takes to risk and liability assessment. The document appears to recommend a broad liability framework for foundation-model developers without adequate consideration of the nuances that differentiate various use cases, or developers’ ability to control downstream usage.[1] When considering liability for AI systems, it is useful to draw parallels with existing legal frameworks, such as the “least-cost avoider” principle in common law.[2]
The law & economics concept of the “least-cost avoider” refers to the party in a conflict who can most efficiently reduce the probability of a costly interaction.[3] In the context of AI, this principle suggests that liability should be assigned to the entity or entities that can most effectively and economically mitigate potential harms.
Applying this principle judiciously to AI systems will encourage developers and deployers to take reasonable steps to protect both their own users and potential non-users who might be affected by the AI models in question. It should be emphasized that this approach doesn’t necessarily mean holding any particular AI developer liable for all harmful outcomes of their models or products. Rather, it militates for imposing a duty of care, as appropriately dictated by the circumstances, that would require a developer to take those reasonable measures necessary to mitigate foreseeable risks, given the degree of control they have over users of their products.
Any liability framework should be sufficiently flexible to account for the diverse instantiations of AI technologies. It should also consider the specific context of each use case, the degree of control each party has over the AI system, and the practical ability that different relevant parties possess to prevent harm.[4]
While there may be instances where it’s appropriate for a product developer to bear presumptive liability, policymakers should remain skeptical of the wisdom of imposing such liability as an ex ante rule to all foundation models. For regulators to assign liability in this way would run the risk of creating a strict liability regime, which appears particularly ill-suited for vast swathes of the AI ecosystem.
Ideally, courts should be allowed to parse the specifics of particular cases, and thereby to shape the contours of liability and relevant duties of care. This would allow for more balanced consideration of the social benefits that AI platforms provide (e.g., innovation, expression, and commerce) as weighed against the need to limit the social costs of unlawful or harmful AI conduct. Short of that, regulatory intervention in the assignment of liability should follow the same principles as do courts at common law: proceed case-by-case and remain sensitive to the full context of particular developers, deployers, products, and consumers.
Furthermore, the draft fails to adequately account for the diverse nature of AI technologies and the various commercialization models employed by the emerging AI industry. As noted by Jason Potts, “AI is not a single technology, or even industry, and is composed of extremely complex and varied ownership and governance at each composite layer.”[5] This complexity makes it challenging to craft a one-size-fits-all regulatory approach, much less to assume that a broad category of developers is always best-positioned to assume liability for AI development.
The document’s narrow focus on initial developers overlooks the reality that many components within the AI stack are often developed via open-source processes or in a modular fashion, and are subsequently assembled by firms using business models that may vary along the spectrum of relatively open to relatively closed. For instance, while some aspects of AI development—such as model training in advanced data centers—may tend to be centralized due to efficiency considerations, other components are developed in a more distributed manner, such as low-level AI tools[6] or products that incorporate trained models.[7]
By placing undue burden on foundation-model developers and, as discussed below, potentially restricting open-source development, the draft risks stifling innovation and limiting the broader economic benefits of AI in the United States. The lack of a vibrant U.S.-based foundation-model ecosystem could undermine U.S. global tech leadership, as developers worldwide turn to foundation models developed in other countries—including those that lack some of the United States’ basic legal norms.
B. The Problem with ‘Dual-Use’ Classification
The draft relies heavily on the concept of “dual-use foundation models.”[8] However, this classification raises significant issues that could potentially lead to stifled innovation in the AI field without generating concomitant consumer benefits from regulation.
Even applying the term “dual use” to AI technologies raises significant issues. Virtually any technological tool can be considered “dual use,” in the sense that it has both benign and potentially harmful applications. This renders the term nearly meaningless as a basis for targeted regulation. Further, the draft’s definition of dual-use foundation models creates, at least implicitly, a presumption of harmfulness. This presumption is not only unwarranted, but could also lead to unnecessary restrictions on beneficial AI development and deployment.
Moreover, the draft is unclear about how to prioritize potential risks from “dual-use” technologies, which could push developers to make binary determinations (either “harmful” or “not harmful”) when considering new products and improvements. The draft offers examples of risks that it posits may be representative, such as “the risks that models will facilitate the development of chemical, biological, radiological, or nuclear weapons; enable offensive cyber attacks; aid deception and obfuscation; and generate child sexual abuse material (CSAM) and non-consensual intimate imagery (NCII) of real individuals.”[9] But it remains unclear whether this list is meant to be comprehensive or if foundation-model developers are also responsible for analyzing other, as-yet undefined risks. Further, the risk of “deception” can mean very different things in different contexts. Some may call political parody “deceptive” misinformation, while others may regard it as merely entertaining. The draft should be amended to clarify these issues.
More broadly, the draft’s dual-use classification opens what is potentially a giant definitional loophole that threatens to subsume virtually any useful AI system. The document employs expansive definitions to describe a generalized threat—specifically that dual-use models could “permit the evasion of human control or oversight through means of deception or obfuscation.”[10] But such language could be said to apply to a broad array of general-purpose AI technologies. All software—particularly highly automated software—may in some circumstances pose serious risks to any of a host of other concerns that we wish to protect. Encryption and other privacy-protecting tools certainly fit this definition.[11] While it is crucial to mitigate harms associated with the misuse of AI technologies, the blanket treatment of all technologies under this category raises the risk of stifling overregulation.
Rather than rely on broad and potentially misleading classifications assigned to potential dual-use capabilities, a more effective approach would be to focus on specific and demonstrable harms. This would involve developing a more nuanced framework to assess AI technologies—one that considers the specific application domain and context of use.[12] It’s crucial to clarify and prioritize specific risks that require regulatory attention, rather than using catch-all categories. Many technologies pose the potential for misuse, but this potential alone should not be the sole basis for restrictive regulation.
C. Impacts on Open-Source Development
The safeguards and restrictions proposed by the draft could also significantly undermine the open-source AI ecosystem. While the draft’s recommendations are intended to mitigate risk, they fail to adequately consider the unintended consequences that these measures could have on open-source innovation.
Open-source software development is a vital component of the broader technological ecosystem, and this is especially true in the realm of AI. Many components of the AI stack are developed through open-source processes or in a modular fashion, and are assembled by firms using business models that vary in the degree to which they are relatively open or relatively closed.[13] This underscores the difficulty of clearly assigning liability to “foundation models” or to any of the various elements of the complex, multi-layered AI ecosystem.
At the foundation of that ecosystem is the hardware layer, which includes semiconductors and raw computing power, alongside “XaaS” (everything-as-a-service) providers that offer virtual access to storage, processing, and software resources.[14] The next layer is data, which may be structured (organized in databases) or unstructured (text, images, videos).[15] The quality and quantity of these data are fundamental to an AI system’s performance. The data layer involves processes for collection, preparation (cleaning, transforming, and labeling), and curation. Next is the model-training layer, where various techniques—such as supervised learning, unsupervised learning, reinforcement learning, and transfer learning—are employed to create AI models that can perform specific tasks.[16]
The deployment layer represents the final stage, where trained models are put into operation. This can occur in cloud environments, for scalability; on edge devices, for reduced latency; or on-premises, for enhanced data control. Each deployment method serves different user needs, and is often managed by specialized firms with distinct business models. This layered structure of the AI stack underscores the diversity among AI technologies and the challenges that inevitably attend defining broad product markets around these heterogeneous components.
In short, while the draft focuses primarily on foundation models, in reality, there are many distinct pieces that constitute the creation and training of AI models. Moreover, this diversity and flexibility in development approaches has been instrumental in driving rapid advancements in AI capabilities and applications.
The draft’s recommended safeguards could, however, severely restrict this open-development model. For instance, the document suggests implementing measures to prevent model theft and limit access to model weights.[17] While these measures might be appropriate in some contexts, their blanket application could effectively shut down many open-source AI projects, where such requirements don’t make sense given the distributed nature of their development. In particular, these measures presume a proprietary model of development that can be secured at a centralized source. This runs completely contrary to the nature of many (if not all) open-source development projects, which rely on decentralized control, widely distributed code, and data sharing. The ability to freely access, modify, and distribute model weights is often fundamental to open-source AI development. Restricting this ability could stifle innovation and collaboration across the field.
Furthermore, such restrictions would pose a direct and fundamental threat to the development of open-source foundation models. By making it more difficult or risky to develop and share open-source models, the draft’s recommendations could inadvertently push the field toward more closed and proprietary models. This shift would not only limit the diversity of approaches in AI development, but could also concentrate power in the hands of a few large companies with the resources to develop and maintain proprietary models.
Another significant concern is the potential that such restrictions could limit the broader economic benefits of AI in the United States.[18] Open-source technologies have been a driving force behind the rapid adoption and integration of AI across various sectors of the economy. By potentially restricting open-source development, the draft could slow this adoption process, limiting the economic gains and productivity improvements that generative AI promises.[19]
Moreover, the document’s approach appears to overlook the self-regulatory mechanisms that often emerge within open-source communities. These communities frequently develop their own best practices and ethical guidelines, which can be more adaptive and nuanced than top-down regulatory approaches.[20] By potentially sidelining these community-driven efforts, following the draft’s recommendations might actually serve to reduce overall safety and responsibility in AI development, rather than enhance it.
The draft’s proposed restrictions could also have far-reaching implications for AI research and education. Open-source models and tools are vital resources for academic researchers and students, providing accessible platforms for learning, experimentation, and innovation.[21] Limiting access to these resources could create a significant barrier to entry for new talent in the field, potentially slowing the pace of AI advancement and reducing the diversity of voices contributing to its development.
III. The Need for Context-Specific Regulation
As we note below, rather than the draft’s current approach, what is needed is a more flexible and adaptive governance framework that would allow industry best practices to evolve organically in response to technological change and consumer demands.[22] Policymakers should embrace a dynamic and context-specific framework that focuses on addressing tangible harms while leaving room for experimentation and innovation.
Crucial to this approach is that AI regulation must not disproportionately focus on mitigating risks without giving sufficient consideration to the immense benefits that AI technologies might also yield. As many of AI’s potential risks remain largely hypothetical, regulatory proposals can quickly become unmoored from the real world and how the technology is actually used. This problem is exacerbated by the nature of risk perception. As Aaron and Adam Wildavsky have observed, familiarity with known hazards does not necessarily determine whether or to what degree an individual or organization will perceive a given technology as safe or dangerous.[23] This holds true not only for laypeople, but also for experts in risk assessment.
Ideally, AI regulation should be focused on empirically observed harms, but a risk-based framework that is limited in scope to better match anticipated real-world harms would the next-best option. The approach recommended by the National Telecommunications and Information Administration (NTIA) in its recent report “Dual Use Foundation Models with Widely Available Model Weights” offers such a framework to analyze marginal risks.[24]
Following extensive stakeholder outreach,[25] NTIA developed its framework to provide a more nuanced and balanced assessment of the potential impact of open-foundation models. NTIA defines marginal risks and benefits as “the additional risks and benefits that widely available model weights introduce compared to those that come from non-open foundation models or from other technologies more generally.”[26] This framework was adopted to avoid targeting dual-use foundation models with restrictions that are unduly stricter than alternative systems that pose a similar balance of benefits and risks.[27] By focusing on the marginal differences between open and closed foundation models (and between AI and non-AI products), NTIA advocates for rooting analysis of potential risks in empirical reality, as opposed to speculation.
The NTIA report outlines three key conditions to assess marginal risks and benefits:
- There must be a difference in the magnitude of risks/benefits between open and closed models;
- The risks/benefits must be greater for dual-use foundation models than for non-AI technologies or other AI models; and
- The risks/benefits must arise from future models over and above those already generally released.[28]
The benefits of this approach are that it focuses on the measurable differences among both AI and non-AI technologies, as well as the relevant differences between AI technologies with open weights and those with closed weights. That is, the NTIA framework focuses on the empirically observable facts that actually affect adoption, use, and potential harms arising from AI use, rather than developing ex-ante regulatory frameworks based on speculation. It also acknowledges the challenges inherent in assessing such risks, noting that “[r]isks and benefits that satisfy all three conditions are difficult to assess based on current evidence,”[29] and thus acknowledging the need to proceed cautiously.
Indeed, this approach is eminently sensible, insofar as we don’t yet even have a clear taxonomy of what it means to regulate “AI.” The diversity of AI technologies has profound implications for regulation and development. For example, leaving aside the glitz around newly popular LLMs and their ability to plausibly pass the Turing test, there remain big questions about the nature of the harms expected from such a technology. Is it the system’s autonomous behavior that is the primary concern, as was the case for high-frequency trading and the flash crash?[30] Or is it the possibility that bad actors will have new tools that help them to break existing criminal laws? Or is it some mixture of the two?
This isn’t merely an academic question. The application domain for practical uses of AI technology requires nuance, as different regulatory considerations are relevant for AI systems designed for autonomous vehicles versus those used in financial algorithms, creative content generation, autonomous weapons systems, or predictive policing. An approach focused on assessing marginal risks is broadly compatible with the diverse nature of AI technologies and products in a way that an ex-ante risk framework is not.
Ideally, NIST should advocate for a harm-based approach that roots regulation in empirically observable harms that actually exist. However, short of that, NIST should consider a marginal-risk framework along the lines of what NTIA has adopted. This would be valuable not merely because such an approach preserves space for innovation in AI, while also focusing on actual harms. It also would help regulatory agencies focus on their actual missions. A harm-based or marginal-risk framework would enable more targeted and efficient allocations of resources in the face of a technology that is incredibly diverse both in its core technologies, its current product offerings, and the innumerable use cases that individuals will adopt.
IV. Regulation as a Discovery Process
In the rapidly evolving field of AI, traditional methods of regulation are likely to prove ineffective. Instead, regulators should adapt their mission and view regulation as a “discovery” process, an approach that is particularly well-suited to the dynamic nature of AI technologies. This perspective offers a more flexible and adaptive framework for governing AI development and deployment.
As proposed by Geoffrey Manne and Gus Hurwitz, “regulation as a discovery process” counsels for treating regulation not merely as a mechanism to decree and enforce rules, but as a process to discover information that can inform and improve regulatory approaches over time.[31] This perspective is particularly pertinent to AI, where the pace of innovation and the complexity of technologies often outstrip regulators’ understanding and ability to predict future developments.
At its core, this approach asks regulators to consider that they might be wrong—that they might be asking the wrong questions, collecting the wrong information, or analyzing it incorrectly.[32] It acknowledges that there is no amount of information collection or analysis that is guaranteed to be “enough,” especially when dealing with complex, dynamic industries. This epistemic humility is crucial in a field where our understanding of the technology’s capabilities and implications is constantly evolving.
Adopting regulation as a discovery process means shifting how regulatory agencies conceptualize their mission. Instead of focusing solely on writing and enforcing regulations, agencies should see themselves as assisting lawmakers to assemble, filter, and focus on the most relevant and pressing information needed to understand the market’s changing dynamics. This requires setting up ongoing mechanisms to gather and report data, such as regulatory sandboxes,[33] and directing the process toward specifications for how information should be used prior to its collection (i.e., how it feeds back into the regulatory process).
This approach stands in contrast to the draft’s treatment of transparency and reporting requirements, as outlined in Objective 7.[34] While NIST recognizes the importance of transparency, its approach seems to view transparency primarily as a means of ensuring compliance with predetermined rules. Regulation as a discovery process, on the other hand, sees transparency and reporting as part of ongoing learning, where the information gathered actively shapes and refines the regulatory approach.
Embracing regulation as a discovery process is particularly crucial in the context of AI, given the limits of our collective knowledge about the technology’s potential risks and benefits. It underscores why regulators should prioritize generating and using new information through regulatory experiments, iterative rulemaking, and feedback loops. A more adaptive regulatory framework could respond to new developments and insights in AI technologies, thereby ensuring that regulations remain relevant and effective without stifling innovation.
Moreover, this approach emphasizes the importance of considering regulation as an information–producing activity. In the context of AI regulation, this extends beyond mere data collection. It suggests that any regulatory mechanism should incorporate processes to ensure that information is not only generated as part of the regulatory process, but also fed back into it. This cyclical approach to information flow is crucial to maintain relevance and effectiveness in the rapidly evolving field of AI.
Adopting regulation as a discovery process would offer policymakers several avenues to create a more dynamic and informed regulatory environment for AI.
First, it would mitigate the issue of overly restrictive risk assessment by embracing a more flexible and adaptive framework. Instead of imposing rigid, predetermined rules based on speculative risks, this approach allows for ongoing learning and adjustment as real-world evidence emerges. This aligns with the NTIA’s marginal-risk framework, which focuses on actual and measurable differences in risks and benefits, rather than hypothetical scenarios.
Second, it addresses the problems associated with the broad dual-use classification. By viewing regulation as an information-gathering and learning process, we can move away from blanket categorizations and toward a more nuanced understanding of AI technologies and their applications. This approach also allows for context-specific assessments, recognizing that the risks and benefits of AI systems can vary greatly depending on their specific use cases and deployment contexts.
Third, the discovery-process approach is more conducive to fostering open-source development. By emphasizing ongoing dialogue and collaboration among regulators, developers, and other stakeholders, this approach can help to balance safety concerns with the need for innovation. It also allows for the development of more adaptive and nuanced guidelines that account for the idiosyncratic nature of different approaches to software development and deployment, while still addressing legitimate safety concerns.
Moreover, this approach’s emphasis on information production and feedback loops can help regulators stay abreast of rapid technological developments. This is crucial to address the concern that rigid regulations might stifle innovation or quickly become obsolete in the fast-moving field of AI.
By adopting regulation as a discovery process, we can create a regulatory environment that is more responsive to the actual state of AI technology, more attuned to real-world impacts, and more supportive of beneficial innovation. This approach provides a framework to develop policies that are empirically grounded, adaptable, and better equipped to balance the immense potential of AI with responsible risk management.
V. Conclusion and Recommendations
The draft’s focus on “dual-use” models, its implicit presumption of harm, and its recommended restrictions that would make open-source development difficult or impossible all would likely yield more harms than benefits. We advise that NIST pursue an alternate approach to regulating foundation models that aims to strike a more appropriate balance between managing risks and fostering innovation.
The preferred regulatory framework would be adaptable, context-specific, and would focus on addressing tangible harms, rather than speculative risks. Moreover, it would not presume that any given type of model is harmful (as is implicitly the case when regulating models as “dual use”). The rapidly evolving nature of AI technology necessitates a dynamic approach to regulation—one that can keep pace with technological advancements and respond to emerging challenges in real time.
A key element of this proposed approach is to focus on tangible and demonstrable harms, rather than potential risks. Ideally, this would be a harm-based approach, grounded in legal traditions that appreciate the nuances of relative risk, with calculations of actual harms derived from longstanding legal principles and empirical realities. By prioritizing the mitigation of real, observed harms over speculative risks, regulators can ensure that their efforts are targeted and effective, without unduly constraining beneficial innovation.
Short of that, NIST would do well to incorporate a marginal-risk framework into its proposed regulatory approach. Such a framework would assess the additional risks and benefits that widely available model weights introduce, relative to those from non-open foundation models or other non-AI technologies. By adopting this disposition, regulators would avoid imposing unnecessarily strict restrictions on open-weight models that may not pose significantly greater risks than their closed counterparts or existing technologies.
This alternate approach would also place a strong emphasis on preserving and promoting open-source AI development. Open-source models have played a crucial role in democratizing AI technology, fostering innovation, and accelerating research. Any regulatory framework should recognize this value and avoid measures that would unduly restrict or discourage open-source development. Instead, regulators should work collaboratively with the open-source community to develop guidelines and best practices that address legitimate safety concerns, while preserving the benefits of openness.
Whatever risk- or harm-based framework is adopted, NIST should encourage the use of discovery processes in AI regulation. In practical terms, this approach would involve a more flexible and iterative regulatory process. Rather than imposing rigid rules ex ante, regulators would engage in ongoing monitoring and assessment of AI developments, adjusting their approach as new information becomes available. Moreover, this alternative approach would emphasize the importance of multi-stakeholder collaboration in developing and implementing AI governance frameworks. This would involve ongoing dialogue among regulators, industry experts, researchers, and civil-society organizations to ensure that regulatory measures are informed by diverse perspectives and the latest technological insights.
By adopting this more balanced, dynamic, and context-specific approach to AI regulation, policymakers can better ensure an environment that fosters responsible innovation while effectively managing genuine risks. This approach would not only be more conducive to technological progress, but would also be more resilient in the face of rapid advancements in AI technology. It would allow the United States to maintain its leadership in AI development, while ensuring that these powerful technologies are deployed in ways that align with social values and priorities.
Ultimately, the goal of this alternate approach is to create a regulatory framework that is as innovative and adaptive as the technology it seeks to oversee. By focusing on tangible harms, embracing context specificity, and recognizing the value of open-source development, this approach can help to unlock the immense potential of AI while responsibly managing its risks.
[1] See, Managing Misuse Risk for Dual-Use Foundation Models, Nat’l Inst. of Standards and Tech., available at https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.800-1.ipd.pdf (last visited Sep. 5, 2024) (“This document focuses on misuse risk from dual-use foundation models… [which] includes foundation models that exhibit, or could be easily modified to exhibit, high levels of performance at tasks that can pose a serious risk to security, economic security, public health or safety, or any combination of those.”) [hereinafter “Draft”].
[2] See Geoffrey A. Manne et al., Who Moderates the Moderators?: A Law & Economics Approach to Holding Online Platforms Accountable Without Destroying the Internet, Int’l Cent. L. & Econ. (Nov. 9, 2021), https://laweconcenter.org/resources/who-moderates-the-moderators-a-law-economics-approach-to-holding-online-platforms-accountable-without-destroying-the-internet.
[3] See Harold Demsetz, When Does the Rule of Liability Matter?, 1 J. Leg. Stud. 13, 28 (1972); see generally Ronald Coase, The Problem of Social Cost, 3 J. L. & Econ. 1 (1960).
[4] See e.g., Manne et al., supra note 2, at 36-47.
[5] Jason Potts, Jason Potts: “Sources of Innovation in Generative AI”, Nat’l L. Rev. (Feb. 21, 2024), https://www.networklawreview.org/jason-potts-generative-ai.
[6] See, e.g., Learn the Basics, PyTorch, https://pytorch.org/tutorials/beginner/basics/intro.html (last visited Sep. 6, 2024); Tim Mucci, Five Open-source AI Tools to Know, Int’l. Bus. Mach. Corp. (Dec. 15, 2023), https://www.ibm.com/blog/five-open-source-ai-tools-to-know.
[7] See, e.g., Qualcomm Enables Meta Llama 3 to Run on Devices Powered by Snapdragon, Qualcomm (Apr. 18, 2024), https://www.qualcomm.com/news/releases/2024/04/qualcomm-enables-meta-llama-3-to-run-on-devices-powered-by-snapd; Clip Studio Paint to Include Experimental Image Generator Palette in Winter Update, Clip Studio Paint, https://www.clipstudio.net/en/news/202211/29_01 (last visited Dec. 02, 2022).
[8] Id. at 1.
[9] See, Managing Misuse Risk for Dual-Use Foundation Models, supra note 1, at 1.
[10] See Id. at 18.
[11] Encryption and the “Going Dark” Debate, Cong. Rsch. Serv., https://crsreports.congress.gov/product/pdf/R/R44481 (last updated Jan. 25, 2017).
[12] See discussion, infra, at nn. 29-32 and accompanying text.
[13] Alex Engler, How Open-Source Software Shapes AI Policy, Brookings Inst. (Aug. 10, 2021), https://www.brookings.edu/articles/how-open-source-software-shapes-ai-policy.
[14] Romit Dey & George Korizis, How Anything-As-A-Service (XaaS) Can Help Reinvent Business Models and Transform Outcomes Across Industries, Price Waterhouse and Coopers & Lybrand, https://www.pwc.com/us/en/services/consulting/business-transformation/library/use-xaas-to-reinvent-business-models.html (last visited Sep. 6, 2024).
[15] See, e.g., Structured vs Unstructured Data, IBM (Jun. 29, 2021), https://www.ibm.com/think/topics/structured-vs-unstructured-data; Dongdong Zhang et al., Combining Structured and Unstructured Data for Predictive Models: A Deep Learning Approach, BMC Med. Informatics Dec. Making 280 (2020), https://link.springer.com/article/10.1186/s12911-020-01297-6 (describing generally the use of both structured and unstructured data in predictive models for health care).
[16] Anil Ananthaswamy, Why Machines Learn: The Elegant Math Behind Modern Ai 12-13 (2024).
[17] Draft at 8-9.
[18] Id. at 7.
[19] See, e.g., Michael Chui, et al., The Economic Potential Of Generative AI: The Next Productivity Frontier, McKinsey Digital (2023), https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier (“Generative AI’s impact on productivity could add trillions of dollars in value to the global economy. Our latest research estimates that generative AI could add the equivalent of $2.6 trillion to $4.4 trillion annually across the 63 use cases we analyzed—by comparison, the United Kingdom’s entire GDP in 2021 was $3.1 trillion. This would increase the impact of all artificial intelligence by 15 to 40 percent. This estimate would roughly double if we include the impact of embedding generative AI into software that is currently used for other tasks beyond those use cases”); Generative AI Could Raise Global GDP by 7%, Goldman Sachs (Apr. 5, 2023), https://www.goldmansachs.com/insights/articles/generative-ai-could-raise-global-gdp-by-7-percent (“As tools using advances in natural language processing work their way into businesses and society, they could drive a 7% (or almost $7 trillion) increase in global GDP and lift productivity growth by 1.5 percentage points over a 10-year period”).
[20] See, e.g., Hugging Face, GPT-4chan, https://huggingface.co/ykilcher/gpt-4chan (last visited Sep. 5, 2024).
[21] Miguel A. Cardona et al., Artificial Intelligence and the Future of Teaching and Learning, U.S. Dept. of Educ., https://www2.ed.gov/documents/ai-report/ai-report.pdf (last visited Sep. 5, 2024).
[22] See, infra, at nn. 29-32 and accompanying text.
[23] See Aaron Wildavsky & Adam Wildavsky, Risk and Safety, Econlib, https://www.econlib.org/library/Enc/RiskandSafety.html (last visited Sep. 5, 2024).
[24]See, Dual-Use Foundation Models with Widely Available Model Weights, Nat’l Telecomm. Info. Admin., available at https://www.ntia.doc.gov/sites/default/files/publications/ntia-ai-open-model-report.pdf, at 2 (last visited Sep. 5, 2024).
[25] Id. at 3.
[26] Id. at 10.
[27] Id. at 10.
[28] Id. at 10-11.
[29] Id. at 11.
[30] See Tom C.W. Lin, The New Investor, 60 UCLA L. Rev. 678 (2013).
[31] Justin (Gus) Hurwitz & Geoffrey A. Manne, Pigou’s Plumber: Regulation as a Discovery Process, SSRN (2024), https://laweconcenter.org/resources/pigous-plumber.
[32] Id. at 32.
[33] See Thomas A. Hemphill, Technology Entrepreneurship and Innovation Hubs: Perspectives on the Universal Regulatory Sandbox, 50 Sci. & Pub. Pol’y 350, 352 (2022), https://doi.org/10.1093/scipol/scac072; Sofia Ranchordds, Experimental Regulations and Regulatory Sandboxes – Law Without Order?, 2021 Law & Method 2-3, available at https://www.lawandmethod.nl/tijdschrift/lawandmethod/2021/12/lawandmethod-D-21-00012.pdf.
[34] See Draft, supra note 1, at 16-17.