AI Executive Order: The Ramifications for Business Become Clearer

Key Points

• In the months since the Biden administration issued a sweeping executive order directing government departments to implement policies to address the opportunities and risks associated with artificial intelligence (AI), its implications for the private sector have become clearer.
• Some agencies have now issued detailed guidance and proposals that affect not only government contractors but also companies developing large AI models, with large computing clusters or with businesses tied to critical infrastructure.
• With AI now a central focus of governments around the world, boards will need to oversee their companies’ AI efforts to ensure they comply with new regulations and mitigate risks.
  
  

On October 30, 2023, the White House issued a wide-ranging executive order establishing a framework for regulation of AI. The executive order aims to support the development of AI and promote innovation and competition, while establishing safeguards to minimize the risks of the new technology.

The nearly 20,000-word executive order included detailed instructions and set deadlines for departments and agencies across the federal government. In recent months, as various arms of the government have begun to carry out the mandates of the executive order, its full impact across the technology, financial and life sciences sectors and beyond is becoming clearer.

Companies Directly Subject to the Executive Order

While much of the executive order was directed to government agencies, some provisions applied directly to the private sector from the outset. For example:

• Companies developing large AI models that could pose a serious risk to security or national public health or safety must report to the Department of Commerce on the training and “red-team” adversarial safety testing of the models.
• Companies that have certain large-scale computing clusters must inform the government of the clusters’ existence, locations and sizes.
• U.S. IaaS companies (and possibly their foreign subsidiaries) must collect “know your customer” information from any foreign customers using the IaaS to train large AI models and report that activity to the federal government.
  
  

The EU’s AI Act is expected to categorize AI applications according to their potential risks and prohibit certain uses deemed unacceptably risky.

Other Businesses Affected by Government Actions in Response to the Executive Order

The White House confirmed that federal agencies have met all of the 90-day deadlines set forth in the executive order, with agencies issuing more detailed guidelines and rules that will impact the private sector. For example,

•  Companies looking to supply AI products or services to government agencies will need to consider a draft memorandum with guidance from the Office of Management and Budget (OMB) that was issued shortly after the executive order. Among other things, it would:
  • Require agencies to treat raw and modified data as a critical asset to which the government should maintain sufficient rights to avoid vendor lock-in and facilitate further design, development, testing and operation of AI.
  • Encourage government agencies to tailor contracts for generative AI to have risk management requirements such as red-teaming and other safety testing and the ability to label and establish the provenance of AI-generated content.
• In December 2023, the Department of Health and Human Services published guidelines for companies developing or deploying AI in health care. These address potential bias in algorithms and establish a framework to evaluate AI’s use in drug development, public health and health care delivery.
• The Department of Labor invited public comment in December 2023 on a proposal to include AI-related occupations on a list of classifications qualifying for an expedited immigration visa process due to a labor shortage. The list, known as Schedule A, is currently limited to nurses, physical therapists and foreign workers with demonstrated exceptional ability required for jobs in the sciences, arts or performing arts.
• The “secure by design” principles in the Guidelines for Secure AI System Development issued in November 2023 are likely to serve as benchmarks for companies developing AI. The guidelines were issued jointly by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.K.’s National Cyber Security Centre and a number of agencies and ministries from across the world, including all members of the G7. AI developers should also consult CISA’s Roadmap for Artificial Intelligence, detailing the agency’s national plan to address the opportunities and threats posed by AI with respect to critical infrastructure.

In addition to assessing the business impacts of guidance issued to date, boards and management should continue to monitor agency activity over the coming months, as additional deadlines set in the executive order approach. For example, financial services companies should note the March deadline for the Secretary of the Treasury to detail best practices for financial institutions to manage AI-related cybersecurity risks.

How Management and Boards Should Respond

The executive order will have a broad impact on companies developing and deploying AI, but the U.S. government is not alone in focusing on AI regulation. For example, the EU is finalizing details of the EU AI Act, which will broadly govern AI development and use in the EU. The EU AI Act is expected to take a distinct approach, categorizing AI applications according to their potential risks and prohibiting certain uses deemed unacceptably risky, including those that have significant potential for manipulation through subconscious messaging or by exploiting vulnerabilities, such as socioeconomic status or age. Additionally, while the executive order lacks specific penalties, penalties for violations of the EU AI Act could be costly, with expected fines up to €35 million or 7% of annual worldwide revenue, which ever is greater.

Management and boards should therefore:

• Develop and implement appropriate governance processes to assess on a regular basis the impact of global AI regulations and the related guidance, rules and regulations on current and future company operations.
• Establish accountability and reporting regarding material AI-related matters.
• Develop and regularly update corporate AI policies and training.
• Consider not only the risks and obligations created, but also the opportunities for businesses aligning with the new requirements.
• Where AI is a material component of current or future business plans, make AI a regular board agenda item.

Further Reading

“What Is Generative AI and How Does It Work?” (The Informed Board, Spring 2023)

“Biden Administration Passes Sweeping Executive Order on Artificial Intelligence” (Skadden client alert, November 3, 2023)

“Latest Text of EU AI Act Proposes Expanding Obligations for High-Risk and General AI Systems and Banning a Third Category” (Skadden client alert, February 5, 2024)

View other articles from this issue of The Informed Board

• Emerging Expectations: The Board’s Role in Oversight of Cybersecurity Risks
• Seven Myths About the US Law Banning Imports Made With Forced Labor
• A Guide for Directors to Political Law Issues in This Election Year
• Shareholder Activism Continues To Increase and Spread in Europe
• Podcast: CEO Succession Planning on a Clear Day 

See all the editions of The Informed Board

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.