State AI Regulations Could Leave CIOs with Unusable Systems
As states rush to regulate AI, Chief Information Officers (CIOs) face the prospect that their systems may become unusable or economically impractical under new laws. These regulations threaten to drive up compliance costs, reduce ROI, or strand investments altogether.
Examples of Regulatory Actions
For instance, when it was reported that ShopRite, a Northeast grocery chain, was using facial recognition to identify repeat shoplifters, some Connecticut lawmakers expressed intentions to ban this technology in retail stores.
Similarly, legislators in Nebraska proposed to ban electronic shelf labels (ESLs) in grocery stores larger than 10,000 square feet, citing concerns that dynamic pricing could displace jobs and set prices based on consumer behavior. Oklahoma has filed a similar proposal for grocers exceeding 15,000 square feet. On the other hand, Maryland’s legislation would prohibit dynamic pricing and the use of surveillance data—such as sensors, cameras, and biometrics—to set individualized prices but would not ban ESLs entirely.
The Risk of Patchwork AI Laws
The emergence of numerous state AI regulations poses risks to existing systems across various sectors, including medical care, insurance, human resources, and finance. Under some proposals, companies may be required to provide regulators with:
- AI decision trees
- Documentation of training data
- Audit results
- Customer notifications describing AI system usage
According to Mahesh Juttiyavar, CIO at Mastek, compliance costs associated with new AI laws will rise significantly. He argues that these regulations will incur organizational costs and management time that companies have not accounted for, leading to cumulative expenses in the future.
Long-Term Compliance Costs
The dynamic of regulatory compliance is exemplified by Europe’s General Data Protection Regulation (GDPR). Research has shown that Fortune 500 companies spent an average of $15.8 million on initial GDPR compliance, with recurring annual maintenance costs typically reaching 20% to 30% of that initial investment.
Despite the growing regulatory risks, businesses seem unwilling to slow their AI deployments. Juttiyavar emphasized that moving away from AI due to regulations is not a viable option, as AI is already integral to organizational operations, driving speed and competitiveness.
Anticipating Legislative Changes
Gregory Dawson, a management professor at Arizona State University, predicts a surge in AI-related legislative proposals as lawmakers and the public become increasingly aware of AI’s risks. Some states, like Arizona, have established steering committees to examine both the risks of AI and its potential benefits for public services.
At the federal level, Congress appears unlikely to preempt state AI laws. A proposal for a 10-year moratorium on state AI regulation was overwhelmingly rejected in the U.S. Senate, leaving CIOs to navigate a landscape of varying state rules.
Evaluating the Future of AI Legislation
While many AI bills in state legislatures may not be adopted, some could pass but lose their effectiveness. For example, New York City adopted a law requiring audits of AI-driven hiring systems to ensure they are bias-free. However, the law only applies when an AI system makes a “consequential” hiring decision, allowing employers to avoid compliance by keeping a human involved in the process.
According to Arsen Kourinian, a data privacy and AI attorney, most laws aim to limit the use of technology rather than ban it outright. This approach emphasizes the importance of governance in AI deployment.
Risk Management Strategies
CIOs can mitigate the risks associated with regulatory changes by establishing robust internal frameworks for AI deployment. Peter Cassat, a partner at CM Law, advises CIOs to negotiate “change of law” provisions in vendor contracts. These provisions would grant termination rights if regulations render continued use of a system impossible or impractical. However, such measures do not eliminate the risk of sunk costs, particularly with long-term contracts.
Moreover, CIOs must consider public and political reactions to AI technologies. In Connecticut, the swift response to facial recognition technology highlighted the need for CIOs to understand how such technology could be perceived externally as well as internally.
For CIOs, the only certainty is that state governments may act in unexpected ways regarding AI, necessitating preparedness for an evolving regulatory landscape.
