The point of regulation should be to protect people from physical, mental, environmental, social, or financial harm caused by the actions or negligence of others. (Some may add requirements like “fairness” or “transparency”, or expand the protection to animals, plants, institutions, historic landmarks, etc. For this question, let’s stick to the general point described above). Regulation doesn’t guarantee that accidents won’t happen. But, if something were to go wrong, then a requirement is that the fix must be guaranteed. This requires both explainability (to know why the error occurred) and determinism (to assure the fix works every time) in the solution.

Imagine if someone asked, “At what point should we start putting regulations on computer software?” That’s not a very precise question. What kind of software? Video games? Spread sheets? Malware? Similarly, artificial intelligence can be implemented in many ways. It’s important to distinguish types and use cases. Below, some basic types are briefly described with just enough detail to answer this question.

1. Automation - A lot of what is called “AI” today is simply what was called “automation” a decade ago. Someone notices a pattern in their daily work with some variables, and writes up a program to repeat that work for them. There’s no learning by the program. The “intelligence” is provided by the developer when coding. Occasionally, some patterns change or new variables appear requiring the developer to update the code. If you’ve ever created a “macro” (or cleverly used redstone in Minecraft), then you’ve automated your work.

2. Modeling - A step more sophisticated than mere automation, modeling requires a developer to understand the problem enough to consider edge cases, variables, and patterns not yet seen. The better the model, the more of the possibility space is covered without going overboard to handle cases that will never be encountered. Models are also not capable of learning. Again, the “intelligence” is provided by the developer. Models are static and require manual effort to improve over time. These work best in deterministic, well-defined problem domains where information is fully known, such as chess. All the rules are known. Pieces move in exactly specified ways. Everyone sees the full board - nothing is hidden. The variable is the opponent’s choices, but they are restricted to a finite set of possibilities. Brute-force methods that test all possibilities before selecting, or search algorithms (e.g. A*, pronounced “A star”) that reduce the number of possibilities to test, find optimal game play. People have also applied models to non-deterministic (i.e. stochastic) problems that also don’t provide all the information. This is what the weather service does when telling you that there is an 80% chance of rain tomorrow. There’s no way for them to know where every molecule is, or their velocity, yet there are multiple “weather models” that provide a reasonable accounting of the possibilities. Notice that the results are returned as probabilities instead of absolutes like in chess. Similarly, quants (“quantitative analysts”) create models to predict the stock market.

3. Machine Learning - Providing the software a way to change its internal models starts to remove the human from some parts of the solution. Essentially, data becomes the majority of the system’s programming. Humans, however, still create machine learning models, select what they believe is relevant data to use for training, iterate and interpret results until the answers fit the developer’s belief of what a good answer should look like. All this introduces human bias into the solution. Examples of machine learning techniques include “deep learning”, “convolutional neural networks”, “support vector machines”, and “random forests”. These solutions address problem domains that are stochastic in nature, and/or have missing or hidden information. Games of chance, use cases like stock market predictions, actuarial sciences, or complicated “big data” all good candidates for machine learning techniques.

4. Artificial General Intelligence (AGI) - This is the holy grail of, well, everything. Building machines that learn and think in general enough ways and can adapt to environmental changes on their own without human involvement is the endgame of computing, to pick just one field. There may seem to be a large gap from 3 to 4, but the reality is that all the other solutions are just variations of what already exist.

Let’s consider what regulation would mean for each type. Keep in mind that regulation requires people to review and understand what is happening between the inputs and outputs of a system enough to assure the solution can do no harm. Regulation is built on trust. We trust that the regulators both understand and are competent in doing their jobs. We can’t automate regulation, otherwise we are stuck in an endless loop to regulate the software that regulates software that regulates software…see? Regulation requires humans, trust, and competence.

Regulations currently exist for the first two types of AI. The third and fourth types become tricky.

Regulating automation - These programs rely exclusively on the work of people. These types of programs are already regulated in industries and critical applications. For example, the autopilot software on an aircraft must pass stringent certifications, as do many medical devices. Regulation can consist of auditing the software to uncover malware, bugs, or deficiencies. Basically, this aggregates the responsibilities of one person (the developer) with another (the independent auditor). The assumption is that a second person’s check will catch any irregularities or issues. (This is a trivialized view of what actually occurs. Ideally, there are multiple testing teams at different stages of development and deployment.) Regulation works here because humans can understand these systems.

Regulating modeling - These programs also rely exclusively on the work of people. Therefore, the lend themselves well to regulation. Modeling is a step more sophisticated than automation, so this does get trickier. But, it is still within the realm of trustworthy people competently executing their regulatory duties. The financial models used by banks, for example, are very highly regulated to ensure they work without bias. Modelers must prove to regulators that their models don’t discriminate, say, loan provisions based on ethnicity.

Regulating machine learning - Since these techniques are implemented specifically to tackle problems that are too difficult for mere mortals to understand, regulating it requires something different from the prior two types. Regardless of how trustworthy and competent the regulators, they won’t fully understand the internals of the majority of these machine learning solutions. At least not for any interesting, real-world problems. Definitely not for any non-deterministic solutions. Even treating a specific technique as an understandable model ignores the behavior of that model under load from unvalidated data. Perhaps regulation means that all training data must be verified and validated prior to digestion by the algorithm? This negates the point of doing machine learning in the first place. An example of where regulation is needed for this type of AI is in autonomous vehicles. A suggestion of evidence based results to determine safety is mentioned in a January 2020 article by AP News regarding multiple Tesla crashes where, the executive director of the Center for Auto Safety in Washington said,

“At some point, the question becomes: How much evidence is needed to determine that the way this technology is being used is unsafe? In this instance, hopefully these tragedies will not be in vain and will lead to something more than an investigation by NHTSA.”

The article goes on to say:

Levine and others have called on the agency to require Tesla to limit the use of Autopilot to mainly four-lane divided highways without cross traffic. They also want Tesla to install a better system to monitor drivers to make sure they’re paying attention all the time. Tesla’s system requires drivers to place their hands on the steering wheel. But federal investigators have found that this system lets drivers zone out for too long.

(3 crashes, 3 deaths raise questions about Tesla's Autopilot)

That’s an appropriate measure for regulating stochastic machine learning systems. It’s less about the known limitations of the software, and more about the way it ought to be -and not be- used.

Alternative deterministic and explainable machine learning algorithms exist. These offer themselves better to regulations. If regulatory laws are required on the software for specific use cases, then the solutions must be implemented using these fully explainable technologies. These are absolutely necessary for mission-critical applications that attempt to replace type one AIs in industries that are already highly regulated.

Regulating artificial general intelligence - For there to be any chance of regulating AGI solutions, the components of that solution must be completely deterministic and explainable. Compared to the others, this one would seem to be the most challenging in terms of regulations. But, consider the goal: It is ultimately intended that these systems work like human minds. At that point, regulations would revert to regular laws to which we hold people accountable. But, there won’t be a light-switch moment. Before reaching full human-level intelligence, these systems will first evolve through much more humble abilities. They may progress through the equivalence of snail, mouse, squirrel, dog, and monkey minds. If allowed to apply their decisions, it is necessary that some randomness enters the algorithm. This is simply due to decision science, and not a feature of the AI/AGI. Deterministic and stochastic pathways can be separable, therefore regulated independently.

Regulations for AI systems already exist. This trend will continue. Unfortunately, our society is reactive instead of proactive. It is likely that regulations will only be implemented after harmful events occur. When these tragedies occur, we shouldn’t rush to blame the technology or developer, solely. Users that misuse the technology and lawmakers that fail to educate themselves on the technology must also shoulder the blame.

A driver that doesn’t follow the Tesla Autopilot instructions of staying awake, keeping hands on the steering wheel, or operating it only on highways is using the system outside of its design. If an accident occurs, that driver ought to be held responsible. It’s not enough to claim ignorance of the limitations and blame the engineers. Nor are the Tesla marketers absque culpa for naming the system “Autopilot”, giving consumers an overhyped sense of functionality. It is within these very human deceptions, self-made or as active participants, that lawmakers can impose controls. They must, however, be willing to work hard in understanding the technology so that they can delineate where the technology’s limitations end and human limitations begin.