Scaling Laws: Can AI Make AI Regulation Cheaper?, with Cullen O'Keefe and Kevin Frazier

A

The Electronic Communications Privacy act turns 40 this year and it's showing its age. On Friday, March 6, Lawfare and Georgetown Law are bringing together leading scholars, practitioners and former government officials for installing updates to ecpa, a half day event on what's broken with the statute and how to fix it. The event is free and open to the public in person and online. Visit lawfaremedia.org ecpaevent that's lawfairmedia.org ecpaevent for details and to register You're a pro

B

at running your life. At committing to your workout. At showing up every day at bombas, we're pros too. Pros at making socks. Our sport assortment has specialized socks for whatever sport you're committed to running, hiking, golf, Pilates and so much more. Made with sweat, wicking yarns, blister fighting details and targeted arch support, Bombas Sport is pro level Socks from the Pros of Socks Socks. For another pro you go to bombus.com audio and use code audio for 20% off your first purchase. That's bombus.com and use code Audio Big news Boost Mobile is now sending experts nationwide to deliver and set up customers new phones at home or work.

A

Wait, we're going on tour?

B

Not a tour. We're delivering and setting up customers phones so it's easier to upgrade. Let's get in the tour bus and hit the road. No, not a tour bus. It's a regular car we use to deliver and set up customers phones at home or work.

C

Are you a groupie on this tour?

B

We deliver and set up phones. It's not a tour.

A

Oh you're definitely a groupie.

B

Introducing store to door Switch and get a new device with expert setup and delivery wherever you're at. Delivery available for select devices purchased@boostmobile.com

D

this episode is brought to you by Bill, the intelligent finance platform that helps businesses and accounting firms scale with proven results. When you're growing a business, the stakes get higher. You can't afford infrastructure that breaks under pressure. If you care about security, reliability and scale, I want to let you in on a secret. Bill is the foundational software that nearly half a million businesses and 90 of the top 100 US accounting firms use to automate back office workflows, add secure controls to payment processes and scale without increased overhead. With AI powered Accounts Payable automation, Bill erases the busy work from capturing invoices, routing approvals and processing payments, syncing seamlessly with the top accounting software platforms so your books are always accurate. But Bill isn't just accounts payable it supports the full payments workflow. Bill has processed over $1 trillion in transactions, leveraging that expertise to help you manage, move and maximize your finances. So stop the guesswork and start scaling with the proven choice. Go to bill.com proven to talk with a payments expert and get a $250 gift card as a thank you. That's bill.com proven terms and conditions apply. See Offer page for details.

C

It's the lawfare Podcast I'm Kevin Frazier, the AI Innovation and Law Fellow at the University of Texas School of Law and Senior Editor at lawfare. Today we're bringing you something a little different. It's an episode from our new podcast series, Scaling Laws. Scaling Laws is a creation of lawfare and Texas Law. It has a pretty simple aim, but a huge mission. We cover the most important AI and law policy questions that are top of mind for everyone from Sam Altman to senators on the Hill to folks like you. We dive deep into the weeds of new laws, various proposals, and what the labs are up to to make sure you're up to date on the rules and regulations, standards and ideas that are shaping the future of this pivotal technology. If that sounds like something you're going to be interested in and our hunches, it is. You can find Scaling Laws wherever you subscribe to podcasts. You can also follow us on X and BlueSky. Thank you.

A

When the AI overlords take over, what are you most excited about?

B

It's.

C

It's not crazy, it's just smart.

A

I think just this year, in the first six months, there have been something like a thousand laws.

C

Who's actually building the scaffolding around how it's going to work, how everyday folks are going to use it?

A

AI only works if society lets it work.

C

There are so many questions have to

A

be figured out and nobody came to my bonus class.

C

Let's enforce the rules of the road.

A

Welcome to Scaling Laws, a podcast from lawfare and the University of Texas School of Law that explores the intersection of AI law and policy. I'm Alan Rosenstein, Associate professor of Law at the University of Minnesota and Research Director at lawfare. Today I'm talking to Cullen o', Keefe, Research Director at the Institute for Law and AI and my very own Scaling Laws co host Kevin Frazier, the AI Innovation and Law Fellow at the University of Texas School of Law and and a Senior Editor at lawfare. Cullen and Kevin have written a new paper and accompanying lawfare article arguing that AI itself could dramatically lower the costs of complying with AI regulation. We discussed the concept of automated compliance, the limits of compute thresholds, and a novel proposal for automatability triggers that would tie the activation of new regulations to the availability of cheap compliance tools. You can reach us@scalinglawsawfairmedia.org and we hope you enjoy the show. Kevin Fraser and Cullen o', Keefe, welcome to Scaling Laws.

B

Thanks for having me.

A

So you all wrote a really interesting paper about the effect of AI on potentially lowering compliance costs for regulation, and specifically in the context of AI regulation. But before we get into that paper, let's just set the scene. Let me start with you, Kevin. What is the general problem of regulatory compliance costs just outside the AI context? I mean, in the paper you provide some really interesting, striking examples. For example, $55 billion for California's privacy law, or outside the tech context, the nuclear premium, which adds double digit percentages to construction materials and on and on. So just describe overall what the current landscape of compliance costs are and then how they map onto the AI policy debates that we're all having.

C

Yeah, so I think what's really important here is to frame that compliance costs vary by your size of company. Right? So for the sort of largest company, let's talk about meta, let's talk about Google, let's talk about OpenAI. They have whole compliance teams, oftentimes hundreds if not near thousands of lawyers who are just paying attention to what's the latest regulation, how can we streamline compliance with that regulation? And they're generally going to kind of float and get by whatever regulatory hurdles are thrown their way. While that's going to be a substantial cost as a fraction of their total operational expenditures, or as a fraction of their revenue and profits, it's kind of de minimis. And so they'll be able to comply in a fairly straightforward fashion. But if you look on the other end of the spectrum and think about the startups, whether in the AI space or generally just any small firm, complying with any set of regulations is going to be a lot more onerous. Because when you start something like a new business, your first hire isn't usually an attorney. Right? We're expensive, we're not exactly fun, you don't want to have us around. And so instead, what do you do if a new law gets enacted? Maybe you just ignore it and then you're kind of screwed when you're found in non compliance or you have to turn to outside counsel. And that means looking to a big law firm who charges big dollar big law firm fees. And suddenly for something as small as just updating your privacy policy, for example, that may cost around $5,000 in outside counsel expenses. And for a startup, that's a significant amount of money when the usual average operating expenditures for a startup is around $55,000 per month. And so compliance costs are really this question of number one, how is it impacting you in terms of just those expenditures? But then, as we also point out in the paper, you have to pay attention to the opportunity costs. All the time that you spend collecting the requisite forms, touching base with the right administrators, so on and so forth, that's time you could have been spent doing other things, other more productive things for your businesses in particular.

A

So, Cullen, I mean, you've been involved in a lot of efforts to develop frontier AI regulation. Your organization, the Institute for Law and AI, of which I should say I'm currently also a part of, as is Kelly, in a kind of part time capacity. I'm not sure I would necessarily call you guys necessarily an AI safety organization, but I think it's fair to say that you're AI safety adjacent or AI safety curious. Certainly you're in a lot of those same conversations as AI safety folks. How do you, and maybe more generally, how do you think the AI safety and AI regulatory community tends to think about compliance costs to the extent that they even do, and should they think about it more?

B

Yeah. So as for Li, I think it's right to say that we take AI safety related issues pretty seriously and have done work kind of sketching out what forms of frontier AI regulation might look like. But I think we, and some, maybe not all, but definitely some of the actors in this space, try to be attentive to how you could tailor frontier AI regulations to capture a lot of the safety benefits, while also minimizing the costs on actors that are maybe not contributing as much to some of the frontier AI risks that we are worried about. And historically, one of the main ways that people in the kind of frontier AI safety community have tried to thread that needle is by using something called compute thresholds. This is a topic that I assume has come up on scaling laws before, but just to refresh your audiences, the idea here is that AI systems can be trained with different amounts of compute. There tends to be a relationship between the amount of compute trained and the capabilities, and therefore maybe the risks of AI systems. And compute is also quite expensive, as people probably know. And so one nice thing that you can do potentially is set what's called a training compute threshold, where you say that this type of regulation will only apply to Models trained with say 10 to the 26 floating point operations flops. And what this means is that this would only apply to firms that could afford that amount of compute. And even though it's not like an iron law or anything, those firms would tend to be the better capitalized firms of the sort that Kevin kind of led with and therefore might be better able to absorb compliance costs. And then firms operating below that threshold would be exempted. So that's one way historically that people have tried to address this problem. And so maybe one way of framing and motivating the paper is like, can we improve on that as a methodology for differentiating between firms that can easily eat compliance costs versus not or otherwise make the trade offs a bit more sensible?

A

Well, let's stay on the compute threshold point for a second because as you point out, that has been the standard way of doing it and it has certain intuitive appeal. But you all point out in the paper that increasingly that may not be a useful way of distinguishing on the one hand, the models that we are potentially worried about, and on the other hand the sorts of companies that can afford to pay these compliance costs. Let me stay with you, Colin. Why is that what recently has been happening that is making the compute threshold approach perhaps no longer fit for purpose?

B

Yes, you know, this is somewhat old news in the fast moving world of AI, but you know, over the past.

A

You mean it's two weeks old,

B

more or less. You know, over the past two years we've seen this emerging paradigm called reasoning models, Right. And one of the key insights of reasoning models is that you can in some sense trade off training compute for test time compute or inference computer, that is to say, a model that took less compute to train can kind of think for longer when you ask it for the answer to a question and perform as well as a model that took more compute to train, but is only given a single kind of forward pass to complete its answer. I think a lot of people expect this to mean that over time the amount of compute needed to give rise to a certain capability level will go down. There's kind of other reasons to expect that as well. Firms are always finding new ways to make their training runs more efficient and compute costs are also coming down. Right. So there's all these kind of secular trends that tend to point to fixed flop amounts being cheaper to hit and also fixed flops corresponding to greater and greater capabilities. So I think if training compute is a reasonable proxy measure, and I don't have a strong view on whether that's still the case, I think it's a reasonable guess that it might be appropriate. But if it is, there's a bunch of secular trends that mean that it's not going to be forever and may not be for very much longer either.

C

And just one small thing to add on here is I think that the flops based governance or FLOPS based trigger for compliance expectations also misses some of the new risks that are emerging in a lot of the AI discourse. So, for example, in state legislatures around the country, AI companions now are among the top issues that they're focusing on. You don't need, pardon my French, a shit ton of compute to design a AI companion that's going to drive young users towards certain behaviors. And so, you know, grounding a lot of AI legislation on that proxy. It depends on the risks you're focused on. I agree with Colin that especially for those sort of frontier risks, it may be a reliable proxy. But for the folks who are concerned, the AI issues that are oftentimes headline news these days, I think it's particularly ill suited for that.

A

So it sounds like we have the following problem, which is that the current compute thresholds are insufficient to capture the world of things that we might want to regulate. So then the response would be we'll just regulate all the things. Maybe do it by some capability threshold or maybe just by sort of a general. If you're building an AI system, you have to satisfy these obligations. On the other hand, though, that hits into the compliance cost problem. And so I think this is a nice segue into what I take to be the core insight of your paper. And I'll start with Kevin here, which is maybe we can solve this problem. Maybe there are some, some kind of efficiencies to be had through this idea of automated compliance. So, Kevin, what is automated compliance?

C

Yeah, automated compliance is exactly what it sounds like. Thankfully, it's pretty on the nose here, which is to say taking compliance tasks and delegating it essentially more or less to AI systems. And this is not new by way of trying to find efficiencies with respect to complying with complicated sets of requirements or new expectations from the state or the federal government. If you go talk to any business, they'll tell you about how they're always trying to streamline how they comply with various expectations and to create new workflows and so on and so forth. And this is really just saying, hey, we have these new tools that are really good at a couple of things. They can aggregate a lot of data, they can parse through that data and they can share that data. And so when we think about some of the AI regulations that we're seeing pop up around the country, we've got SB53 in California, the RAISE act in New York, there's a, I'll say a SB53 sister or sibling that's been proposed in Utah. I suspect we'll see similar kind of transparency requirements. Well, what are we really asking companies to do with respect to those efforts? Well, it's to compile transparency reports about how an AI system is performing and then sharing that information with a regulator. Well, if we can have AI do that, and Colin and I think I will get to that point of being able to do just that. Well, suddenly your somewhat trite, although accurate statement, Alan, of well, why not just regulate everyone? Well, if it's costless or near costless, then yes, why not? Right now we're seeing that the disproportionate burden that currently exists under a lot of compliance regimes would essentially disappear. But I'll also flag that there are some other key things that we expect AI will be able to do if not now in the near future. Performing, for example, automated evals on AI systems, monitoring safety and incident safety and security incidents, for example, which is another thing that a lot of state legislators are looking at, and then finally providing incident disclosures to regulators and consumers. And so there's a range of really important kind of essential regulatory mechanisms that I may be able to handle in the near future. And our argument under automated compliance is that AI can lower those costs and make it far more efficient for all sizes of companies.

B

Yeah, and yeah, completely agree. Maybe just two things I'd add to that too is first I would direct people to a great article by Paul Ohm called something like Toward Compliance Zero that came out a few months before us, where he makes a lot of similar points and elaborates that very well. And then maybe the other framing that I think people might want to bring to this conversation is that most new technologies kind of expand the production possibility frontier. They make new things possible. And so, so that's what makes a lot of us excited about AI technology and maybe sometimes also apprehensive. But this is really just pointing out that kind of the one logical consequence of that for AI technology is that it's going to make new forms of compliance automation possible. That wouldn't have been possible before Cullen.

A

I think it'd be helpful to get a little more specific as to what sorts of things are automatable and what sorts of things are not automatable. Compliance is a very general term. It encompasses a lot of behaviors. And so just give a sense of when you and Kevin are running about automated compliance, what sorts of tasks like specifically are you all anticipating? And maybe more importantly, what is not automatable? And is it not automatable yet or is it sort of in principle, not really automatable?

B

Yeah, great question. And I think this task based framing that you introduce is really the way, at least I think about it. So Kevin mentioned a few types of examples of things that we could imagine AI safety regulations requiring people to do. And so a lot of these seem like things that in principle AI either could do today, if you put a little bit of elbow grease into working out the workflows and plumbing to make it work. So things like compiling information about how an AI system was trained. Right. Transparency type obligations, maybe intervening in the training process. There's different ideas for how you can intervene in the training process to make AI systems safer or behave behave in certain ways. So that's another type of thing where AI systems are quite good at coding. The AI labs are already using their AI systems to help them build the next generation of AI models. While if you require the AI system to incorporate some regulatory requirements into that, maybe it's not too much extra work. But there definitely are things that you could imagine AI safety regulations requiring that would seem a lot harder to automate. So just one example, a thing that's often considered a kind of best practice in AI safety is something like human red teaming, where humans try to cause the AI systems to behave in undesired ways. Kind of by definition that has humans involved. There's definitely a lot of interest in AI driven red teaming or AI aided red teaming. And so we will see whether that is ever competitive with human red teaming. But you might want there to be a requirement that humans red team the system. At least if that was a requirement, that would obviously be hard to automate, though maybe with AI assistance they could do it quicker. Who knows? Then maybe another thing you might consider is some sort of clock time requirement. So one idea that people have talked about is something like an exclusivity period where a company kind of has to sit on an AI model and maybe can only offer it through an API or through a chatbot or something, but can't release the weights publicly for maybe six months while people kind of see how it behaves and assess whether it would be safe to release the weights of this model. Broadly, regardless of whether you think that's a good idea, obviously you can't automate away six months. Although again, maybe you can do more in those six months. And maybe that means you would get the same safety benefit in three months kind of post AI that you would get pre AI. So nevertheless, if you think about how different requirements might be specified, some of them will be hard to automate. Yeah, which kind of gets to part of the point of our paper, which is that you should think about which types of safety requirements will be more automatable and less. And maybe there's some reason to prefer ones that will be more automatable.

A

How do you all think of what we might call the Goodhart's Law objection to your account? So Goodhart's Law is the famous dictum that once a measure becomes the goal, it ceases to be a useful measure. And we see this sort of throughout society. We all focus on such and such statistic about education performance or healthcare performance. And then the regulated industries start optimizing for that and that ends up distorting the very goal that they were trying to accomplish. One can imagine a similar concern with automated compliance where, okay, once you've made compliance kind of machine readable in a sense, then you could imagine the incentive of companies to try to game the system, train the models to sort of satisfy. You know, in legal terms, you might think of this as a kind of letter of the law versus the spirit of the law concern. But I can just imagine a world where you have this amazing automated compliance framework, but in the end, it's not actually solving the reason that the legislatures or the regulators put out whatever, whatever, you know, whatever compliance requirement they did, whether it's safety or anything else. And I'm curious how you all think about that potential concern.

C

I'm happy to take a first stab at this one. I think for me, the difference here is that Goodhart's Law has some sort of reward mechanism that values changing your operations to achieve that result.

B

Right.

C

So the assumption is that by virtue of changing your operations, you'll send some signal to the world, to your stakeholders, to your consumers, so on and so forth, and be recognized for achieving that metric. Whereas what we're proposing is basically just continuing the status quo, whatever you are doing the background tasks that you were ignoring to begin with, or perhaps not paying an incredible amount of attention to, or not gathering in the way you previously imagined. Now AI is just doing that, but it's not saying that we're necessarily going to reward you for this outcome or give you some relief from some other regulatory paradigm or something like that. Basically you get to carry on as is, but just have this tool do your compliance test for you. And so I don't have the same concern that suddenly an AI startup that faces some regulation for which automated compliance is possible. They just don't really have an incentive, in my opinion, for, for changing their behavior. But I'm always intrigued what my co author has to say.

B

No, I think I generally agree with that. I think, you know, Goodheart like problems are endemic to the process of setting measures and then people optimizing against, you know, one way people think about AI systems is that they're optimizers and so they might find ways to optimize against whatever measures and do so more aggressively than humans might be able to. So I think this will be like a general issue that the law and a lot of other sectors will have to grapple with in the future. You know, I guess the way I would think about it as it relates to this paper is that, you know, it remains the duty and burden of legislatures and regulators to think about what types of behaviors they want to inculcate and find the best ways to do them and then they'll specify them. And the best that we can do is help regulated parties achieve those specifications kind of as efficiently as possible. And I guess, yeah, I could see ways in which introducing AI into that process introduces more optimization, but I could also see ways in which it also helps, for example, regulators think, think through more clearly their drafting process and think about ways in which the measures that they're picking might be good, heartable.

A

For example, let me pose another potential objection to the project, which is if the problem that you're trying to solve for is, let's say, Silicon Valley's resistance to regulation, and your solution is, well, it's actually going to be a lot cheaper than you think because of automated compliance. That might only get at one part of the reason why the technology industry might oppose regulation. Right? So it may very well be that especially for the big companies where the compliance costs, while not trivial, are fundamentally rounding errors, their concern is actually not cost at all, it's the actual substance of the regulation. Right. They may say you could drive the costs of complying with the regulation to zero in the sense of lowering the administrative costs, but automated compliance does not lower the non administrative costs of regulation. So I'm just curious how you all think of that or whether that's just a different problem and we're solving a problem over here, there's still a problem over there, but we might as well solve the problem over Here, even if it's not the entirety of the problem.

B

Columbia. Yeah, yeah, I can jump in on that. I mean, I think that's great. I think that we should just. Then, part of what's exciting about this is it enables us to focus on the first order question instead of the second order question of like, do we think that these regulations are worth the kind of first order costs and benefits? Is it worth preventing AI companies from doing the profit maximizing thing that we assume that they will do by default to achieve some additional degree of public safety or whatever other type of good we're trying to achieve? And people can and will disagree about that. Those disagreements are healthy and part of normal democratic debate. And I think it's actually just more productive if AI technology enables us to focus on those disagreements eventually.

C

And I'll jump on there to say that one thing that particularly excites me about this idea is the ease with which we can now switch to a different regulatory paradigm in which automated compliance is possible is way easier. And so one of my gravest concerns about premature regulation, and we outline the difference between a sort of pro regulatory and deregulatory spectrum. And Colin and I occasionally end up on opposite sides of that spectrum. But I think everyone agrees we want evidence driven policy and we really want to avoid path dependence being created by laws that are well intentioned, but perhaps send the AI development down a certain direction when in reality, you know, we want it to go a different route that perhaps is even safer and even more innovation enabling. And so if we have automated compliance be the norm and it doesn't require you to effectively change your operations such that you're fulfilling some expectation of the regulators, well now both regulators and companies can be more innovative and more evidence driven. And that is super exciting.

A

Okay, so that's, that's great. Let me, let me kind of repeat back to you what, what I heard and you could tell me if it's right, which is, and I always find the sort of production possibility frontier diagrams from, you know, first year microeconomics really useful. Sorry, I'm, I'm now waving my finger in the air because podcast is a very visual medium, as everyone knows. But you know, I take it that what you're arguing is that look, there are real trade offs in regulation, safety versus innovation, kind of as the classic example, and your paper is not kind of responding to that as a general matter, what you're saying is, yes, but there's a whole other set of trade offs that are actually dissolvable, which is like for any given amount of safety, we can have the same amount of innovation, we can have more innovation or vice versa, as long as we get rid of this compliance sludge. And we should all want to get rid of compliance sludge because then we can start fighting about the thing that actually matters. Is that a kind of fair description of the problem project?

B

Yeah, I would say so. I mean, yeah, I think we say as much. Right. If you hold the level of safety that you want constant, you get it for cheaper. If you hold the amount of regulatory costs that you're willing to eat as a society, then you get more safety. Either way of framing it works. And that's the beauty of positive sum innovation.

D

Deleteme makes it easy, quick and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable, Delete Me sends you regular personalized reports showing what information they found about you, where they found it and what they removed. It isn't just a one time service, it's always working for you, constantly monitoring and removing the personal information you don't want on the Internet. Let me give you a personal example of that. I first learned about DeleteMe. This was considerably before they were an advertiser for Lawfare. And I learned about it at a conference of democracy activists where, you know, we were talking about what to do to reduce risk. If you're working in this field, people said, you need to have delete me. And so I went out and got it and I got it from members of my family and I got the first report and there were, you know, 20 some odd data brokers who they had removed my data from. But then here's the key thing. The data brokers go back to work collecting on you. And so a few months later you get another report and these same data brokers, they're removing you from their sites again because Deleteme keeps at it. The New York Times wirecutter has named Deleteme their top pick for data removal services. And you know, if you're somebody with an active online presence, you probably know that if you're going to protect your privacy, nobody's going to do it for you. You've got to do it yourself. This is a step that you can take. But if you're not somebody with an active online presence, they're still getting data about you. They're still using it to facilitate phishing attacks on you, to facilitate identity theft. And if you've never been the victim of one of these things, you probably know somebody who have and it's probably only a matter of time before it happens to you. Delete Me can help, so take control of your data and keep your private life private by signing up for Delete Me now at a special discount for our listeners. Get 20% off your Delete Me plan when you go to JoinDeleteMe.com Lawfare20 and use the promo code Lawfare20 at checkout. The only way to get 20% off is to go to JoinDeleteMe.com lawfair20 and enter code Lawfare20 at checkout. That's JoinDeleteMe.com Lawfare 20 code Lawfare20

B

hey

D

folks, I want to tell you a story about the founding of Lawfare. I started Lawfare and it was just a blog and then we realized we had to create an organization to support it. And all of a sudden I found myself doing paperwork, forms, logistics, personnel stuff. It just completely ate up my day. And I want to say I was bad at it and it was repetitive, it was boring, and I thought to myself, there has to be an easier way to do this. I didn't know about Gusto at the time, and in retrospect I wish we had. Small business life means hustling and figuring it all out a lot of times on your own, and I did it a lot of times on my own and it was bad. But you don't have to make the same mistakes I did. You don't have to spend your evenings guessing at tax forms or tracking down onboarding documents. Gusto handles all of that so that you can spend your time on the parts of your business you actually love, like in my case, running a magazine about national security and law. That part I love. Gusto is an online payroll and benefit software system built for small businesses. It's all in one remote, friendly, and incredibly easy to use so that you can pay, hire, onboard, and support your team from anywhere. You save time with automated tools that are built right into the system. Offer letters, onboarding materials, direct deposit, and more. It's automatic payroll tax filing, simple direct deposits, health benefits, commuter benefits, workman's comp, 401k, you name it. Gusto makes it simple and has options for nearly every budget. It's quick and simple to switch to Gusto. Just transfer your existing data to get up and running fast. Plus, don't pay a cent until you run your first payroll. So try gusto today@gusto.com LawFair and get three months free when you run your first payroll. That's three months free payroll@gusto.com Lawfair one more time Gusto.com LawFair.

A

Your production needs flexibility software. Define it with automation built to adapt

C

and the best of it to boost your ot. Transform the everyday with Siemens Shipping Billing Admin Payroll Marketing.

A

You're managing all the things so why waste time sending important documents the old fashioned way? Mail and ship when you want, how

B

you want with stamps.com print postage on

A

demand 247 and schedule pickups from your office or home.

B

Save up to 90% with automated rate shopping. That's why over 1 million small businesses trust stamps.com go to stamps.com and use code podcast to try stamps.com risk free for 60 days. BetterHelp Online Therapy bought this 30 second ad to remind you right now, wherever you are, to unclench your jaw, relax

A

your shoulders, take a deep, deep breath in

B

and out. Feels better, right? That's 15 seconds of self care.

C

Imagine what you could do with more

B

visit betterhelp.com randompodcast for 10% off your first month of therapy. No pressure, just help. But for now, just relax.

D

Thanks.

A

So let's now talk about another part of your paper. And this to me was the most interesting idea. And this is your proposal for what you all call automatability triggers. So Cullen, what are these triggers? And again, what problem are they sort of responding to?

B

Yeah, so this really goes back to kind of the central tension that often motivates some of these debates where let's say that Kevin and I agree that we need regulation at some point. And Kevin's refrain is, ah, but if we regulate now, you might have all these bad things. You might go into a kind of course, a path dependent route of technological development that's hard to reverse or costly to reverse. You could kind of lock in incumbents, et cetera. And I retort, well, I'm quite worried that if we don't regulate now, there will kind of never be another opportunity to regulate. Or by the time there's another another opportunity to regulate, it will be too late. We'll have already had some sort of catastrophe that we really would have preferred to prevent. But Kevin and I share an underlying worldview, which is something like AI is going to unlock a lot of very, very beneficial capabilities in the future. And among those it really looks to us is the ability to automate a lot of core compliance tasks. And I think the way that I kind of initially came up with some of the ideas behind this is I think this suggests a very natural trade which is like we agree to regulate but not now. We agree to regulate when that AI capability improvement that we both expect drives automation costs below some level. That's the fundamental idea of what an automatability trigger is. It says this regulation will not be effective now. It will become effective only when the costs to implement compliance with it are lower than they are today. Because presumably AI technology is better at doing their compliance tasks.

C

And it's flagging. Just to add something quickly, it's worth flagging that this is not a novel concept with respect to conditioning the application of a law on a certain event. These are known as sunrise clauses. A lot of folks know about sunset clauses and don't get me started because I can go off for another 90 minutes about the importance of sunset clauses. But sunrise clauses are also essential and basically condition the enforcement of a law on some trigger that may be okay. Now, an AI tool exists to allow for compliance. Or it can be something like, hey, we're not going to start to implement these privacy laws or regulations until we've actually created the privacy agency and hired the requisite number of staff and so on and so forth. There have also been states that impose sunrise clauses with respect to occupational licensing provisions. This is an interesting use case where they say, we will not allow for a new occupational license until there's a study done indicating that we actually need one. Which is kind of like, no shit, I would hope that's the law. But sometimes we just need these reminders to be baked into the legislation themselves.

A

And just to make sure I understand how this would be implemented, someone would have to decide when the. Well, I mean, two. Two things would have to happen, presumably. One, someone would have to set the kind of trade off between. How much automation do you want to make sure there is before the law goes into effect? I imagine that would be something for the legislature to decide. And then there's someone, I assume in the executive branch who has to say, okay, I've done a study. I believe that the time is now in terms of satisfying legislation. Do you have in mind who would do that? My instinct would be like the Secretary of Commerce because of nist. And I would imagine NIST would be the National Institute for Standards and Technology or. Or the AI Safety or whatever they're calling it these days, Institute, who actually does this and how? I'm kind of curious in the sort of ad law minutia of this a little bit.

B

Yeah, I mean, I think as a first order matter, I think there's a lot of different ways you could imagine this being implemented. And since it is a new type of mechanism. I wouldn't say that Congresspeople tomorrow should rush out and try to copy and paste the language from our paper into their hot new AI regulation bill. There still needs to be a lot of work done to think through how this would be implemented. That said, yeah, I think the basic schema that you're pointing out sounds about right where Congress would say, we want this law to come into effect only when we think that compliance costs have dropped to X dollars per relevant task. And so you might think that the relevant task is like evaluating a single AI model. Just to take a very simple example of what an AI safety regulation might do, we think that right now it would probably cost firms if you include kind of overhead, maybe it costs like a million dollars to run a single model evaluation, and that's too much. But if it only costs $10,000, then we think that that's great just to make up numbers. Right? And so, yeah, Congress would say that. And then maybe the Secretary of Commerce seems like the best placed person in the federal system, since we don't have the Department of AI yet says, we think the day has come, we think that the cost is $10,000, here's why. And then the enforcer starts bringing enforcement actions. Maybe then litigants could challenge that determination court. That itself is a statutory and administrative procedure question that I am not necessarily an expert on. But yeah, that's just one example of how you might implement this.

C

And something that we talked about in the initial formation of this idea was the fact that this could lead to a really interesting market on the private side of saying, hey, I want to develop the tool that then gets adopted or offered as one of the options for this AI compliance. And we don't necessarily have that right now. Obviously there are a number of startups that are trying to think through how they can facilitate easing your compliance burden with various AI regulations and other regulations. But actually developing this sort of AI compliance tool is a really interesting market that could be created. And I also think it's worth flagging that this concept could have a lot of positive spillover benefits in other areas of regulation, where we're also concerned about having a sort of disproportionate impact on smaller businesses.

A

Let me actually stay with this question of who would develop these tools, because I want to sort of prod at this idea a little bit. I think it's really interesting. But one objection you might have is, well, why would Silicon Valley have an incentive to develop these tools if it's not until the tools are developed, do they have to actually do the compliance or that the regulation comes into effect? So how do you incentivize. And of course Silicon Valley is a they, it's not an it. But how do you incentivize Silicon Valley to build these tools when in some sense it's against their interests to do so?

B

Yeah, I think it's a great question. I think number one, there's a coordination problem or something. So if firms see that there's going to be a lot of business to be made by offering this compliance tool, it would be illegal for them to coordinate, not to make it under the antitrust laws probably so they couldn't get together and do that. But then also it's probably the type of thing that is built by someone building on top of a foundation model is my guess the most likely way that this would be implemented. And it's just hard for firms to kind of prevent them from doing that. You could imagine having additional restrictions that make it hard for firms to stop people from building compliance tools on top of them. I don't know if we want that. But yeah, I guess I'm pretty optimistic that know compliance, automating AI will find a way. You know, at the very least there's like open source models that are not too far behind the frontier and this would be, you know, even harder for anyone to hold back intentionally.

C

Yeah. And I think that so long as the government is saying we're going to pay for this, or whether it's the Federal Government or 50 state governments or governments around the world that want to emulate this automated compliance mechanism, there will be a market for saying, hey yeah, we'll, we'll procure and then make available this AI compliance tool or set of tools and we'll give you this contract and so on and so forth. And so someone will want to make that money.

A

So a couple more, a couple more potential objections. So let me ask this one of you, Kevin. You know, one thing I can imagine a safety focused critic saying to this idea is, well, automatability triggers just sound like a way of delaying regulation, you know, if not indefinitely, then for quite some time. I mean, by advocating the way that you all present this in your paper is this is a way of calibrating lawmakers preferences around sort of safety versus innovation. But a different way of saying is, well, just the very idea of delaying this is kind of putting a thumb on the scale for deregulation because of course in the vast majority of other domains we don't actually do this so you gave some examples of sunrise provisions, which I think is very interesting to think about. But the counterexample that came to my mind, and I've not done a sort of deep study into this, but I think what I'm saying is reasonably accurate, which is when the epa, or let's say the State of California, which is really taking the lead on this, tells car companies you must drive emissions down such and such to 10%, 20%, whatever the case is, they actually have not always done that, knowing that such technology existed. Often it was, we're going to make you do this. We'll set the effective date of this sometime in the future to allow you to prepare. But it's kind of on you to figure out how to do this. So why isn't that the better answer? You know, if you're worried about the companies not being able to do this now, tell them, okay, you have two or three years to do this. This is going to go into effect. And instead of saying it'll only go into effect once someone else has figured out how to do it cheaply, it's going to go into effect. So if you meta Google, OpenAI, anthropic X, whatever, if you want to save money on the compliance, which presumably you do, you figure this out.

C

So it's a really valid critique and a good one. I think that the assumption that Colin and I are making and that folks like Paul Ohm have made and that other folks in the space have made is that AI seems to be closer to facilitating a lot of these kinds of compliance tasks than perhaps in another domain or a different sort of automated compliance scheme. So I think that day is sooner rather than later. So that, that's one response. Another response is, yes, this is certainly putting a thumb on the scale with respect to assuming some degree of delay. Now, that's a reflection of the fact that every single policy we enact always has costs and benefits. And this is sort of a forcing mechanism that says, are you really weighing those as seriously and as thoroughly as you can? And one aspect of that is the sort of loss in innovation, loss in safety, loss in just greater and novel technological development that may come as a result of that sort of premature regulation. Now, we didn't consider this in the paper, but I'd be curious, or perhaps we could add something on at some point exploring the notion of, okay, if these tools aren't available within three years or within 18 months or within however long, then it will go into effect, right? And that way you're kind of feeding Two birds with one scone. Hashtag, you're welcome, PETA. That is a different approach that we could certainly rely on that kind of tries to get both of those mechanisms going that you were mentioning, Alan. Both at one point putting folks on notice that they may have to comply with this, while also giving those innovators who want to develop the automated tool an incentive to giddy up, up and get going on whatever that automated compliance tool may look like.

B

Yeah. And maybe to add a few things.

A

Oh yeah, yeah, yeah.

B

As the person who tends to like, worry a bit more about like us not regulating in time is like, first, this dynamic works both ways. Right. This is a way of credibly signaling that like, and bindingly signaling that a regulation will come into effect if this milestone is met. Right. It's definitely like in some sense if you don't do the disjunctive thing that Kevin just said, more flexible than a, you know, date certain sort of on rise provision. But it's more certain than a like, well, we'll revisit it if there is a problem that requires us to legislate, which I think frankly is like the default outcome. The default outcome in legislation is nothing happens. Right. And so I think this is a way of trying to strike a deal that in principle principled parties can agree to. And then. Yeah. It also creates an incentive to order the technological innovations in a way that I think reflects what people should want. Right. We should want the technology that helps us solve these thorny trade offs before the applications of the technology that create hard problems. And so this is saying that all else equal, we would prefer to have the compliance automating technology sooner. Thank you. And if you do that, you will be rewarded by the market because there will be a captive market that is basically strongly incentivized to buy it. But there are situations in which you might worry that this is not ideal. So this makes the most sense for problems where you think, think you don't have catastrophes that arise before you have the compliance automating AI that could have prevented those catastrophes. And that may or may not be the case. So legislators would have to think carefully, empirically and strategically about whether the problem, this is the right solution for the problem that they're facing. And it might not be other things will make sense for other problems.

A

So I pose the sort of critique from the safety side to Kevin. Let me propose the opposite side of the critique to Colin, which is this all seems very complicated. Why are we trying to regulate stuff in the future when we Think that the technology that we don't really understand exists. This is not how we do stuff. Generally the way that legislatures usually work is that they identify a problem, they make sure they can fix it, and then they implement it. Why are we singling out AI for this sort of additional regulation? If the so regulation is cost benefit justified today, fine, we can have that fight. But if it's not cost benefit justified today, which is a little bit what I think the idea of these automatability triggers in the future kind of imply. Otherwise, why would you push it out to the future? What are we doing? There are so many other things that Congress could be doing today. It seems weird to both have them guess and also just seems weird, one might argue, to have them spend their precious current political capital on stuff that again, by definition is not going to happen for a while and may never happen.

B

Yeah, again, I think there's a lot of validity to that critique, especially as applied to different AI problems. Different problems in AI policies have different dynamics and require different solutions. And I think one of the best parts of scaling laws is bringing more nuance to all the various AI policy problems that exist. And so there are problems that I spend a lot of my time worrying about where society would probably have a very low, I think, risk tolerance. Right. So I think one example in this might be AI systems that would aid in the engineering of novel pathogens that we may not have immunity to, may be quite costly to respond to. Covid cost trillions and trillions of dollars. And so to be willing to prevent the next Covid we should be willing to spend a lot of money. And so I gu the way I think about this is that number one, the use of an automatability trigger sends a useful signal about we would prefer there to be lower cost to implement it implement this type of regulation. We are not willing to implement it at the current cost benefit analysis, but we would be at a different one. And number two, we're going to kind of make that commitment credible in a way that delaying until the problem has happened is not a credible kind of signal for market actors to be in working on in the meantime. Maybe sometimes it is, sometimes it isn't. So it's a way for legislators to really put a credible signal that there will be market incentives to regulate in the future or sorry to provide a certain type of AI service in the future.

A

Before we close, I want to talk a little bit about what I thought was a particularly interesting scenario that you all have. It's a little speculative as you all Describe, but it's a very interesting potential preview of the future which is is automated compliance meets automated governance. So I could try to summarize what you're all predicting, but I'd rather just hear it from you all. What is this potential Jetsons like world where essentially robots talk to robots to figure out what the law says. Colin, let me start with you.

B

Yeah, great. I think if you can just imagine, if you just imagine a kind of human staffed regulator and then the automated compliance regulated party, you're kind of playing half court tennis, right? So I think this probably works the most efficiently when the compliance automating AI can talk to at the speed of AI some sort of other AI systems in the regulator's offices that can help it understand like hey, can I get additional guidance on this for example? And, and I don't know how long that would take in a typical regulatory process. My guess is on the order of months, but maybe it can provide it in a matter of seconds. And that's just one benefit that kind of automated governance could bring to this process is kind of the speed of AI. And there's lots of others too. So why don't firms just share a bunch of information with regulators and just try to get better signal from them about what's tolerated. What's not one plausible answer is that that they are afraid that the regulator is going to use that selectively against them or hold it over their head or something. Part of the reason that is worrying is that because regulators are staffed by humans, humans can't just forget things that they've learned about regulated parties. But maybe you could design AI systems that could.

A

I have two small children, I can forget anything.

B

Envy you, envy you Alan. But maybe one thing that regulator side AIs could do is like have a kind of quasi privilege thing where they say like we want to get like regulatory guidance on this like type of thing. We're going to provide you a bunch of super sensitive documents that we wouldn't share with anyone normally. But because we have strong, you know, trust in the regulator side AI setup that you have, we know that you're not going to use them for other enforcement actions. You're just going to give us, you know, your regulatory approval and then we're good to go. And like, you know, we can have a kind of secure record of that that we keep. When you ask us later, you know, hey, why'd you do this? And, and we could say, well we showed this to your regulator AI and it said it was okay. And then everything's good. So I think just ideas like this about the potential synergies between these two things is going to be a really important dynamic in the 21st century to consider.

C

And I'll just add what I think could be a concrete example of this. So I'm thinking a lot about workforce and job displacement issues right now. And there's a lot of conversation about how we can update the Warn Apple Act. And for folks who aren't steeped in 1970s policy, this was the idea that when you lay off a 300 folks at your factory in Buffalo, New York, you have to tell not the Department of Labor because that would make too much sense, but the local officials in your state that you're about to lay off 300 people. Well, now we have a lot of concerns. For example, we're talking on January 28, 2026, Amazon announced it's going to lay off off 16,000 people. And some people are attributing that to AI. And so there's a lot of conversation about how can we manage the labor market in a more productive fashion. Now, no company wants to send to the Department of Labor, hey, here's all of our information three weeks in advance. We're about to lay off these people. Please don't do anything mean or give us bad press or anything like that. What they may be willing to do is, let's say on a quarterly or monthly basis, submit data via automated compliance to the Department of Labor, who can then aggregate and then share out really valuable insights that could trigger congressional hearings or a response by the Department of Labor or new programs, by job retraining programs and things like that. That's a whole new workflow and kind of regulatory approach that we just don't have that automated compliance and by extension automated governance could realize. And that to me is really exciting. Exciting.

A

So I want to end by asking you two to reflect a little bit about sort of your journey in writing this paper. As you know, and I think, Kevin, as you pointed out earlier in the conversation you two are on, I don't want to say opposite sides of the pro regulatory versus deregulatory spectrum, but there's some sort of daylight obviously between you two, which I think is actually always a really fun way to sort of collaborate. And I'm curious, having thought through this issue and the many conversations I'm sure you two had in writing this paper, has it changed your views on either the optimal timing or content of AI regulation? So let me ask Kevin your version of this question and then I'll close out by asking Cullen his version, you know, Kevin, has it made you more sympathetic to some forms of earlier or more intensive regulation on AI, let's say?

C

Yeah, I think I'm very sympathetic to the argument that there are certain things that we may not be able to measure. And this is where Colin and I think had a meaningful discourse of automated compliance can only go so far are. And so by virtue of writing this paper and having that experience, I think it did shine a light on what are the areas of AI governance where we're still going to have to have a sort of human driven conversation about what risks and what benefits are we willing to tolerate? Because quantifying all of that and using AI to derive all of the requisite inputs and data may not always be possible in the near term term, given the sort of risks that we often talk about in a more kind of long term perspective. And so to me it was just a really useful exercise to try to bifurcate what's the sort of information where automated compliance could be really useful and what are the sorts of tasks that will not allow for that sort of compliance and then with respect to those tasks, who then has the institutional capacity to handle, handle those regulatory questions. So to me it just added more nuance, to use Colin's word. And more nuance, in my opinion is always better and a heck of a lot more fun.

A

So Cullen, let me ask you sort of your version of the same question to close out. Has it made you more sympathetic to the concerns from the quote unquote pro innovation side around compliance costs?

B

Yeah, I mean, I think the pro innovation side has done a really good job of hammering or injecting a few different very important memes into this discourse. And I think working on this paper, it was great to grapple with them. And among these, one thing that I hope comes clear is that we're both big believers in the idea that technology is generally positive sum and a lot of discourse tends to lose light of that fact. And this is kind of in some way applying this general positive sum dynamic into a domain where there's often assumed to be a zero sum kind of trade off. Right. So I think grappling with that has been fun. I think think that grappling with these timing problems is also kind of important. When I was at OpenAI, one thing that OpenAI talks about a lot is the benefits of iterated deployment. And by which they mean that the process of society seeing AI progress and learning how to deal with it incrementally is beneficial to the kind of of long term challenge that humanity has of figuring out how to deal with AI systems. People can agree or disagree with the specific ways in which OpenAI has been going about that kind of iterative deployment philosophy, but I think that the core insight that learning from the technology and leveraging some of its beneficial uses as it advances has a lot of benefits that I think AI safety and policy discourse, you know, four years ago or something, might not have appreciated. And I do think this general bet of try to sequence AI innovation in the way that gets you the most socially beneficial applications first and think about ways to do that instead of just framing it as a progress versus stasis kind of problem, I think is maybe a more productive framing and thinking about ways to do that I think is a fruitful policy endeavor that hopefully this paper is just the first of many in because I think everyone agrees that different forms of progress have different social values. Progress in more addictive drugs is probably not a good thing. Progress in providing legal services to people, medical innovations, et cetera is better. And so when we can kind of selectively pick beneficial forms of innovation, all else equal, we should prefer to do that. And yeah, this is just one way to do that.

A

Well, I think it's a good place to leave it. It's a great paper. We'll link to the original paper that Law AI is hosting and then to a shorter, Lawful Fair post that should be out by the time this is released. But thank you Colin and Kevin for coming on the show and talking about it.

B

Thanks Alan.

C

Always a hoot.

A

Thanks.

C

Scaling Laws is a joint production of lawfare and the University of Texas School of Law. You can get an ad free version of this and other Lawfare podcasts by becoming a material subscriber at our website lawfaremedia.org you'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Check out our written work@lawfaremedia.org you can also follow us on X and Blue Sky. This podcast was edited by Noam Osband of Goat Rodeo. Our music is from Alibi. As always, thanks for listening. Want to turn challenges into chances?

A

Go digital enterprise and adapt to every change by combining the real and digital worlds.

C

Transform the everyday with Siemens.