In this blueprint, we explain why a tiered approach makes sense in the EU AI Act and how to build a risk-based tiered regulatory regime for GPAI – the technicalities involved, which requirements should be imposed on their corresponding tiers, and how to enforce them.
Heavy is the Head that Wears the Crown: A risk-based tiered approach to governing General-Purpose AI
September 27, 2023
For the past two years, TFS has conducted extensive research on governing general-purpose AI (GPAI) and related foundation models. We compile these insights into a holistic, risk-based, tiered approach for GPAI, which we present in our latest blueprint: “Heavy is the head that wears the Crown”.
An executive summary is available here. The blueprint explains why a tiered approach makes sense in the EU AI Act and how to build a risk-based tiered regulatory regime for GPAI – the technicalities involved, which requirements should be imposed on their corresponding tiers, and how to enforce them. A summary of our findings is below:
- We find there are seven distinct challenges arising mostly in GPAI/genAI overall, ranging from generalisation to concentration of power and misuse.
- Most definitions conflate generative AI, foundation models, GPAI, etc. We explain why separating GPAI models from generative AI systems that build upon them is important for proportionality.
- We propose 3 tiers: generative AI systems, Type-I GPAI models and Type-II GPAI models (cutting-edge).
- In a tiered approach to GPAI regulation, requirements are set on models in proportion to their risk potential. Type-II GPAI models pose different and more severe challenges than Type-I and Generative AI systems; a Type-I GPAI model poses more severe and different challenges than a Generative AI system.
- Therefore, Type-II models (currently ~10 providers) must comply with the full set of listed requirements, while Type-I models (currently ~14 providers, incl. 6 from Type-II) have only a subset of these requirements, and generative AI (>400 providers) have an even smaller subset – reflecting risk-based proportionality.
- The distinction between tiers is based on the generality of capabilities, which predicts quite well how risky the GPAI model is. It can be approximated by compute used for training (a metric that is readily available internally and predictable, because it is a major cost driver), to update over time until better metrics are available.
- Requirements for each tier are summarized in the Executive Summary.
- We present additional measures for effective enforcement, open source governance, combinations of GPAI models, and value chain governance.