Dear friends,
There have been intense efforts over the past few years to lobby governments to pass AI laws for regulatory capture or to suppress open source. This week, the White House issued an executive order that provides new guidance for companies that build frontier models. It promotes AI development while taking into account its impact on security. I’ve long been concerned that overregulation will stifle AI progress. In the case of this executive order, it’s a close call, but the result is a reasonable compromise between encouraging AI development and protecting security.
We could have ended up with a stifling executive order that would have been very burdensome for model builders, as I’ve written in earlier letters. I’m grateful to David Sachs, who co-chairs the President’s Council of Advisors on Science and Technology, as well as AI policy advisor Sriram Krishnan and others who worked hard to make the order reasonable. At the same time, I remain cautious about ongoing lobbying efforts and the temptation to overregulate.
This latest push to regulate AI was driven by cybersecurity concerns. Specifically, Anthropic's Mythos was a significant step forward in automatically finding vulnerabilities in code. Over the long term, improved vulnerability detection will make software more secure. When bugs are more easily found, the advantage naturally lies with defenders, who can work to patch them. So having software that enables everyone to find vulnerabilities is a good thing — eventually!
But while the world is navigating the transition to this end state, we should minimize the window where attackers — including highly resourced ones like nation states — can find and exploit vulnerabilities where defenders have not been able to invest the resources needed to identify and patch them. This reflects a legitimate risk, and we should take reasonable and proportionate measures. For instance, the executive order mandates ramping up defensive efforts. Additionally, it sets up a framework for frontier labs to share their models with the government on a voluntary basis and collaborate on cybersecurity. I find this, too, helpful and reasonable.
Unfortunately, whenever there are legitimate risks, there is also a temptation to overregulate. Take commercial operations that braid hair. This is a very safe activity, but it does carry small risks. After all, we don’t want hair stylists to have such poor hygiene that they infect their clients with lice or diseases. But many U.S. states require someone wishing to braid hair commercially to engage in hundreds of hours of training to obtain a license. This requirement unnecessarily stifles small businesses. In a choice between excessive regulations and no regulation at all on this art, we would be better off with no regulation. The extremely low risk of an infection is better than stifling the whole industry.
In the case of AI, I am glad the U.S. government is taking cybersecurity seriously. At the same time, many lobbying attempts have already used fear driven by science-fiction narratives (for instance, AI leading to human extinction) to impose burdensome bureaucratic requirements or unreasonable types of liability on model trainers if others misuse their models. It took a lot of work to beat back regulations based on these narratives. This time round, there is actually a legitimate risk. When lobbyists are armed with an even more powerful weapon to push for excessive regulation, it becomes even harder to find a balance between reacting proportionately and over-regulating.
As AI continues to develop, I’m sure that new harmful ways to use it will arise alongside the far larger number of beneficial ways. Nations will be better off if their governments are able to demonstrate sound technical judgement and navigate that fine balance. I suspect, though, that governments that aren't confident of their ability to find a balance will do better to slow down their regulatory impulses to form a clear assessment. Often, no regulation will be better than over-regulation.
Keep building!
Andrew