U.S. President Joe Biden hands Vice President Kamala Harris his pen after signing a new AI executive order in the East Room of the White House on Oct. 30, 2023.
(Chip Somodevilla/Getty Images)
U.S. President Joe Biden hands Vice President Kamala Harris his pen after signing a new AI executive order in the East Room of the White House on Oct. 30, 2023.

While U.S. President Joe Biden's recently signed executive order on artificial intelligence is a first step in creating a U.S. regulatory framework at the federal level, it will face implementation challenges that will limit its immediate impact, likely leaving a patchwork of AI regulations that could incentivize some U.S. states to look to the European Union for guidance. On Oct. 30, Biden signed an executive order on Safe, Secure and Trustworthy Artificial Intelligence, attempting to cast a wide net to address emerging risks such as engineering biological weapons and weapons of mass destruction, government use of AI, data privacy, and risks to education, equity and civil rights and job security. It also contains provisions designed to enhance U.S. AI competitiveness, innovation and global leadership. To address emerging risks, it orders new notification standards for AI developers creating foundational AI models and calls on a variety of different government agencies to mitigate risks and evaluate their own AI use. For example, the Department of Homeland Security (DHS) will take steps to manage AI risks in critical infrastructure, while working with the Department of Energy to address chemical, biological, radiological, nuclear and cybersecurity risks. Meanwhile, the State Department, along with the Commerce Department, will promote U.S.-initiated safety standards globally and lead efforts to create an international framework to mitigate AI risks while maximizing benefits. Other agencies have been tasked with combating AI-related intellectual property theft, as well as developing programs to support workforce training and address algorithmic bias and discrimination. Additionally, the order calls on Congress to pass bipartisan legislation that addresses data privacy risks, which has faced steep hurdles amid intense disagreements.

  • The order creates a notification system and requires the National Institute of Standards and Technology (NIST), under the Department of Commerce, to issue appropriate procedures for conducting red teaming tests for AI developers. Specifically, developers of systems that pose serious risks and meet higher technical thresholds or levels of computing power will be required to notify the government when training the model and must share the results of a red team safety review prior to their public release. Those that will be subject to the notification requirement are ''dual-use foundational models'' — defined as those AI models that are trained on broad data, contain at least tens of billions of parameters, are applicable across a wide range of contexts, and exhibit (or could be modified to exhibit) competence at tasks that pose serious risks to national security, national economic security or national public health and safety.  
  • The order creates under the DHS an AI Safety and Security Board, while the DHS works with stakeholders to develop AI safety and security guidance for critical infrastructure owners and operators. Under the DHS, the Cybersecurity and Infrastructure Agency is also tasked with assessing potential AI usage and risks in critical infrastructure. In efforts to create a more robust AI environment, the order establishes an AI cybersecurity program and directs the DHS to incorporate AI to improve cyber capabilities and defenses, including AI and machine learning for threat detection, prevention and vulnerability assessments. There will be routine operational testing to evaluate AI-enabled vulnerability discovery and remediation techniques for government systems, among other government use-case initiatives. 
  • The State Department, along with the DHS, will also be paramount in the White House's efforts to attract and retain AI talent through various immigration reforms and programs, including streamlined processing times and applications for those traveling to the United States to work on, study or research AI (or other critical and emerging technologies). The DHS will also ''clarify and modernize'' immigration pathways for AI experts. The Department of Commerce is tasked with drafting guidance for content authentication and watermarking to label AI-generated content in efforts to protect intellectual property. The order also calls on the NIST to create new AI safety and standards. 

The executive order follows the European Union's move to add more stringent measures to its proposed AI Act in June 2023. Originally proposed in April 2021, the European Union's AI Act has since been revised to consider novel risks that emerged with generative AI, such as chatbots. The primary feature of the draft legislation is a system that categorizes different AI models based on their level of risk, using a scale that ranges from ''unacceptable'' and ''high risk,'' to ''limited risk'' and ''minimal risk.'' Those that are labeled as posing an ''unacceptable'' level of risk, such as social scoring systems or real-time facial recognition systems, will be banned in the European Union, whereas ''high-risk'' systems will face more stringent requirements for their deployment. ''High-risk'' systems are defined as those that may cause ''significant harm to people's health, safety, fundamental rights or the environment,'' such as resume/CV scanning tools that rank job applications; these systems must be registered in an EU-wide database and be subject to specific legal requirements. AI service providers for ''high-risk'' systems must incorporate human oversight practices into their use and have a comprehensive set of risk management initiatives, including requirements for data governance, strict monitoring and record-keeping and transparency, as well as standards for accuracy, cybersecurity, data quality, robustness and non-discrimination. Those that are labeled as ''limited risk'' must meet similar transparency requirements and inform users of their risks before interacting with applications, while those categorized as ''minimal risk'' will not be regulated. The revisions to the Act added a new category for ''General Purpose AI Systems'' (GPAIS) to include AI tools with more than one application, which primarily pertains to generative AI systems. Along with ''high-risk'' systems, GPAIS will be added to the European Union database to explain where, when and how they are being deployed. GPAIS will also be subject to transparency requirements, such as published summaries on copyrighted materials used to train systems. For generative AI, the revisions to the European Union's AI Act also put in place certain safeguards to prevent the generation of illegal or harmful content and security testing prior to deployment. 

  • The EU AI Act also aims to establish a European Artificial Intelligence Board to oversee the implementation of regulations and ensure uniform application, as well as to issue recommendations and opinions on AI issues that arise to provide guidance to national authorities. 
  • Under the draft legislation, EU member states must also establish at least one regulatory body to test AI systems prior to deployment and allow citizens the right to file complaints against AI developers and providers. 

Though the executive order marks a first step in shaping a U.S. AI framework, it lacks binding impact and will face implementation challenges that undercut its effectiveness at the national level. This is in contrast with the European Union's AI Act, which issues more concrete regulations with enforcement throughout the whole bloc and may even become a model for U.S. states. A future U.S. president can amend or simply scrap any of Biden's executive orders, meaning his new order on AI oversight may not survive, at least in its current form, if a Republican candidate wins the Nov. 2024 presidential election. Moreover, aspects of the order that require funding — such as developing research initiatives and setting up task forces that would boost the federal AI workforce, or adjusting the U.S. CHIPS Act to increase the availability of its resources to startups and small businesses — may not receive cooperation from Congress in appropriating adequate funds. Also, for guidelines to be binding, in many cases, congressional action is required to pass complementary legislation, which may lag or never materialize given ongoing splits within the U.S. legislature over how to address AI safety. Though there has been some progress in narrow areas (such as bipartisan legislation being introduced to address AI-generated material in elections), numerous other larger efforts, mostly pertaining to data privacy and transparency, have failed to gain traction. In contrast, the European Union's AI Act issues binding regulations that will create a more cohesive set of rules throughout the bloc. The EU AI Act is pending final approval from the European Council, and aims to be adopted by early 2024, but its enactment will be followed by a transition period that will likely take at least 18 months before the regulation is fully enforced. Nonetheless, major disputes in Congress mean it will likely be longer before a U.S. federal AI framework is fully implemented and enforced. Instead, AI legislation in the United States is more likely to continue emerging at the state level, forming a patchwork of regulations with varying and at times opposing compliance requirements in different jurisdictions. In developing their frameworks, some U.S. states may mimic certain aspects of the European Union's AI Act, similar to how California adopted data privacy regulations that align closely with the bloc's General Data Protection Regulation (GDPR).  

  • While both the EU AI Act and Biden's executive order cover aspects like testing and documentation, cybersecurity, bias and discrimination and increased transparency, the former contains regulatory action with enforcement, including fines, which the latter largely lacks. 
  • White House officials have also noted that the technical threshold needed to trigger review requirements will be set high so that it does impact small- or medium-sized companies, thus focusing the scope on larger companies. The Biden administration has also made it clear that the order will not take any existing AI systems off the market. This suggests that the executive order is intended to address more forward-looking risks as AI technology continues to advance, in contrast to the European Union's order, which applies to both already existing and emerging systems. 
  • Where the executive order includes measures specifically to protect innovation, the European Union's AI Act has largely been criticized for the possibility that its stringent measures could stifle AI development. Though the same fears have been expressed over the U.S. action (and any AI regulation, for that matter), they have been elevated to a greater degree in the European Union, and the U.S. executive order aims to simultaneously promote AI safety while procuring AI talent and research. If more stringent AI regulations are eventually implemented in the United States, the impact on the U.S. economy would be greater than the impact of such regulations on the EU economy, as tech companies investing in AI development are more heavily concentrated in the United States. 
RANE
SUBSCRIBERS ONLY

Expert analysis when it matters most.

Get access to RANE's decision-grade geopolitical intelligence.

Subscribe now